[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

VPN with 2 Network with the same IP address range.

Posted on 2009-12-31
11
Medium Priority
?
1,299 Views
Last Modified: 2012-05-08
Is there a way to have a VPN between two networks that have the same IP address scheme?
Example
Network A is 192.168.1.x and Network B is 192.168.1.x

We have a SONICWALL TZ170 3.X Enhanced on one end and a Fortigate 50B on the other end.
0
Comment
Question by:RickEpnet
  • 3
  • 2
  • 2
  • +4
11 Comments
 
LVL 4

Expert Comment

by:imadimad
ID: 26156720
Hi
I can think of only one way to do that which is segmenting the network.
0
 
LVL 14

Author Comment

by:RickEpnet
ID: 26156724
What do you mean or how do you do that?
0
 
LVL 4

Expert Comment

by:imadimad
ID: 26156743
You do that via subnetting, so the subnet will be 255.255.255.168 this will give you two networks. for more details see

CIDR notation Network Mask Available Networks Available Hosts per network Total usable hosts
/24 255.255.255.0 1 254 254
/25 255.255.255.128 2 126 252
/26 255.255.255.192 4 62 248
/27 255.255.255.224 8 30 240
/28 255.255.255.240 16 14 224
/29 255.255.255.248 32 6 192
/30 255.255.255.252 64 2 128
/31 255.255.255.254 128 2 * 256
For more details see http://en.wikipedia.org/wiki/Subnetwork
Also there are a lot of information on the internet.
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
LVL 32

Expert Comment

by:nappy_d
ID: 26157867
Well, you will have one problem with doing this. What happens when two devices on either subnet have the same IP address but a different mask? Which way should traffic then be routed?

I am not sure how many devicies you have on either network but this will pose a problem if duplicate IP's appear with different subnets.

The bottom line would be to change either network's IP range.
0
 
LVL 18

Accepted Solution

by:
decoleur earned 2000 total points
ID: 26158025
actually this is done all of the time when two companies need to communicate but share the same ip space. the trick is to use NAT to translate the hosts of interest on the other network to a unique ip space to distinguish local traffic from traffic that needs to be routed to another network.

here is an example of doing this with cisco routers http://tools.cisco.com/search/display?url=http%3A%2F%2Fwww.cisco.com%2Fen%2FUS%2Ftech%2Ftk648%2Ftk361%2Ftechnologies_configuration_example09186a0080093f30.shtml&pos=1&strqueryid=&websessionid=BPqn2e5BiUXlx1rIm1VfNg0  and firewalls https://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cfgnat.html#wp1043610, most of them have feature parity so i am pretty sure that you will be able to find a solution for this.

hope this helps,

-t
0
 
LVL 21

Expert Comment

by:Rick_O_Shay
ID: 26158674
You could use something like L2TPv3 over IPSEC or GRE over IPSEC if either is supported by both VPN routers.
0
 
LVL 18

Expert Comment

by:deimark
ID: 26161933
Double nat seems to be a popular choice. There have been quite a few questions about that topic on EE so have another look for the specific vendor you need.

Personally I have done this on check point and the theory applies to most vendors.

HTH
0
 
LVL 6

Expert Comment

by:theonlyallan
ID: 26163582
Yes, its possible by subnetting.  If you do that, what happens when your network grows? Its not recommended nor best practice to use the same IP scheme in both locations.

I would recommend: 192.168.1.0/24 at location#1, and 192.168.2.0/24 at location#2
0
 
LVL 14

Author Comment

by:RickEpnet
ID: 26163721
theonlyallan yes that is exactly what I would have done if I could have. That was not an option.
0
 
LVL 18

Expert Comment

by:deimark
ID: 26165414
Try double nat.

As per decoleur above, NAT each "home" net behind another unique networks when tlaking to the otehr "home" net.

example

If you have 2 nets of 192.168.1.0/24 at each remote site and you want to have a VPN betwent hem, you will need to change the address of both remote nets to make sure there are no routing or vpn issues.

The theory is that you create 2 new nets, 1 for each site and then nat the traffoc destined for the other remote site, BEHIND the new unique net.  You can do this at each end and thus have unique addresses at each end to bring up the VPN.

So we have site 1 and site 2

Both sites have the remote net of 192.168.1.0/24
Site 1 will have a nat network of 10.1.1.0/24 and site 2 will have a nat network 10.2.2.0/24

When site 1 wants to talk to the rmeote net on site 2, it will nat its own network behind 10.1.1.0/24 and have the destination address of 10.2.2.0/24.  And vice versa.

As long as you have the full network natted or just a single address to nat behind, it will work.

I would love to be more specific with examples, but I am not at work at the moment and the juniper KB seems to be down hehe.

HTH
0
 
LVL 18

Expert Comment

by:deimark
ID: 26165418
Aha, found it at last

http://kb.juniper.net/KB5346

Has more info bud
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
In this article, the configuration steps in Zabbix to monitor devices via SNMP will be discussed with some real examples on Cisco Router/Switch, Catalyst Switch, NAS Synology device.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question