Solved

site-to-site VPN IP addressing

Posted on 2011-02-17
5
317 Views
Last Modified: 2012-08-13
This should be a straightforward question, but I have seen differing answers, so I though I'd ask the experts!

I have two sites which I will join with a VPN between the routers.  That is, the routers will connect to the internet (DSL on one, FIOS on the other) and programming in the routers (same make and model) will allow communications between them with no special programming on the workstations.

My question has to do with proper IP addressing at the two locations.

One suggestion I have received is that both locations must be on the same subnet.  For example, both must be 192.168.1.0/24 subnets.  This doesn't seem correct to me for one reason as follows.

Suppose I am at Site 1 and my IP address is 192.168.1.100 and I want to retrieve files from the server at Site 2 whose address is 192.168.1.250.  Since my computer will determine that this is on the local LAN, it will address the packet directly to the .1.250 computer and not to the Default Gateway.  Unless the router monitors all traffic (would an intervening switch know enough to send the packet to it?) and forwards what is appropriate, it seems to me that the packet would never traverse the VPN.

On the other hand, if Site 1 is a 192.168.1.0/24 network and Site 2 is a 192.168.2.0/24 network, the problem should be resolved.  When I want to retrieve files from the 192.168.2.250 computer, my computer will recognize that this is not on the LAN and will encapsulate the packet and send it to the Default Gateway (the router at 192.168.1.1), which will recognize the .2.250 address as being at the other end of the VPN, and appropriately forward it along.

Is my logic correct?  More importantly, should I use different IP networks at either end as I presume is correct?
0
Comment
Question by:CompProbSolv
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 3

Accepted Solution

by:
rob_AXSNL earned 500 total points
ID: 34920115
You must use different subnets, because the traffic must go via the default gateway, which is the VPN appliance.
No other solution is possible. It is routed traffic...
0
 
LVL 21

Author Comment

by:CompProbSolv
ID: 34920167
Thank you for the quick response.  The "same subnet" suggestion I got elsewhere just didn't make sense, but I wanted to be sure before I went through the effort to set it up.

I hope to have it running today!
0
 
LVL 9

Expert Comment

by:rawinnlnx9
ID: 34920170
Location1: 192.168.0.X (where x > 0 < 255)
Location2: 192.168.1.X (where x > 0 < 255)


There is no way to do this with both on the same subnet. If there is a way then it's tedious, requires port-forwarding and NAT translations that must be very complicated.
0
 
LVL 3

Expert Comment

by:rob_AXSNL
ID: 34920241
Your router is the only one that knows where to find the other subnet or next hop. This is the idea behind the osi layer 3 (IP). TCP is osi layer 4, which builds the logical end to end connection over the IP hops. Therefore if you want to use the correct infrastructure, you need to route via a default gateway or static route (which would be your router if you don't have a default gateway).
0
 
LVL 21

Author Closing Comment

by:CompProbSolv
ID: 34923020
Thanks for the confirmation.  Got it installed and all went well.
0

Featured Post

Turn your laptop into a mobile console!

The CV211 Laptop USB Console Adapter provides a direct Laptop-to-Computer connection for fast and easy remote desktop access with no software to install.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen some questions on problems with SSH/telnet access to Cisco routers that may occur despite the fact that from a PC connected to your LAN, Internet connectivity is in place and users can access Internet sites without any issues.  There are…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses
Course of the Month11 days, 1 hour left to enroll

631 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question