Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 320
  • Last Modified:

site-to-site VPN IP addressing

This should be a straightforward question, but I have seen differing answers, so I though I'd ask the experts!

I have two sites which I will join with a VPN between the routers.  That is, the routers will connect to the internet (DSL on one, FIOS on the other) and programming in the routers (same make and model) will allow communications between them with no special programming on the workstations.

My question has to do with proper IP addressing at the two locations.

One suggestion I have received is that both locations must be on the same subnet.  For example, both must be 192.168.1.0/24 subnets.  This doesn't seem correct to me for one reason as follows.

Suppose I am at Site 1 and my IP address is 192.168.1.100 and I want to retrieve files from the server at Site 2 whose address is 192.168.1.250.  Since my computer will determine that this is on the local LAN, it will address the packet directly to the .1.250 computer and not to the Default Gateway.  Unless the router monitors all traffic (would an intervening switch know enough to send the packet to it?) and forwards what is appropriate, it seems to me that the packet would never traverse the VPN.

On the other hand, if Site 1 is a 192.168.1.0/24 network and Site 2 is a 192.168.2.0/24 network, the problem should be resolved.  When I want to retrieve files from the 192.168.2.250 computer, my computer will recognize that this is not on the LAN and will encapsulate the packet and send it to the Default Gateway (the router at 192.168.1.1), which will recognize the .2.250 address as being at the other end of the VPN, and appropriately forward it along.

Is my logic correct?  More importantly, should I use different IP networks at either end as I presume is correct?
0
CompProbSolv
Asked:
CompProbSolv
  • 2
  • 2
1 Solution
 
rob_AXSNLCommented:
You must use different subnets, because the traffic must go via the default gateway, which is the VPN appliance.
No other solution is possible. It is routed traffic...
0
 
CompProbSolvAuthor Commented:
Thank you for the quick response.  The "same subnet" suggestion I got elsewhere just didn't make sense, but I wanted to be sure before I went through the effort to set it up.

I hope to have it running today!
0
 
rawinnlnx9Commented:
Location1: 192.168.0.X (where x > 0 < 255)
Location2: 192.168.1.X (where x > 0 < 255)


There is no way to do this with both on the same subnet. If there is a way then it's tedious, requires port-forwarding and NAT translations that must be very complicated.
0
 
rob_AXSNLCommented:
Your router is the only one that knows where to find the other subnet or next hop. This is the idea behind the osi layer 3 (IP). TCP is osi layer 4, which builds the logical end to end connection over the IP hops. Therefore if you want to use the correct infrastructure, you need to route via a default gateway or static route (which would be your router if you don't have a default gateway).
0
 
CompProbSolvAuthor Commented:
Thanks for the confirmation.  Got it installed and all went well.
0

Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now