site-to-site VPN IP addressing
Posted on 2011-02-17
This should be a straightforward question, but I have seen differing answers, so I though I'd ask the experts!
I have two sites which I will join with a VPN between the routers. That is, the routers will connect to the internet (DSL on one, FIOS on the other) and programming in the routers (same make and model) will allow communications between them with no special programming on the workstations.
My question has to do with proper IP addressing at the two locations.
One suggestion I have received is that both locations must be on the same subnet. For example, both must be 192.168.1.0/24 subnets. This doesn't seem correct to me for one reason as follows.
Suppose I am at Site 1 and my IP address is 192.168.1.100 and I want to retrieve files from the server at Site 2 whose address is 192.168.1.250. Since my computer will determine that this is on the local LAN, it will address the packet directly to the .1.250 computer and not to the Default Gateway. Unless the router monitors all traffic (would an intervening switch know enough to send the packet to it?) and forwards what is appropriate, it seems to me that the packet would never traverse the VPN.
On the other hand, if Site 1 is a 192.168.1.0/24 network and Site 2 is a 192.168.2.0/24 network, the problem should be resolved. When I want to retrieve files from the 192.168.2.250 computer, my computer will recognize that this is not on the LAN and will encapsulate the packet and send it to the Default Gateway (the router at 192.168.1.1), which will recognize the .2.250 address as being at the other end of the VPN, and appropriately forward it along.
Is my logic correct? More importantly, should I use different IP networks at either end as I presume is correct?