> From: Robbie Crash [mailto:[email protected]] > > > The problem is at the remote side. If they have a huge internal corporate > > network that happens to include 192.168.10.x/24 and 192.168.1.x/24 ... > When > > I VPN to them and my LAN is 192.168.1.x/24, I have a subnet that overlaps > > with their pre-existing subnet. They can't route traffic to me without > > breaking one of their internal subnets. > > > > I get that, but in your original email you stated you don't need to access > their 192.168.1.0 subnet, unless all their traffic routes over that subnet > internally you shouldn't have an issue. Their side will see the request > coming from your VPN point, and will send traffic there and your VPN server > will send it to the proper client.
No, there's something you seem to be missing. I'm making up the details in this email, but the concept stands: They have 192.168.1.x/24 in Buffalo. 192.168.10.x/24 in Syracuse. 10.10.10.x/24 in Toronto. 172.16.14.x/24 in Vancouver... and a hundred other sites. They have all their routers configured to support this. If somebody at any site sends traffic to 192.168.1.x/24, their routers know the traffic is routed to Buffalo. So if I get inside the network, using 192.168.1.x/24 in Boston, all those other sites can't talk to me, or can't talk to Buffalo. I have to either use a subnet that doesn't conflict, or I have to NAT and virtually use a subnet that doesn't conflict. If I actually use the new subnet, 192.168.2.x/24 which isn't used anywhere else in the company, then all traffic is routable to and from my network, which is good. But if I virtuallly NAT my 192.168.1.x/24 network, making my traffic appear as 192.168.2.x/24 as far as the company's concerned ... Then I have no way to access their 192.168.1.x/24 because my systems will think the destination is local and hence not use the router. I am saying that I'm ok using this NAT solution to avoid the need to renumber my systems. I'm only blocking the traffic from my local 192.168.1.x to the company's 192.168.1.x (and vice-versa) but I don't care about connecting to anything in the company's 192.168.1.x range. Make sense now? ;-) > What IP address are you receiving from > the VPN server? Their VPN server doesn't assign an IP address. This is not a mobile client VPN we're talking about, it's a site-to-site VPN. Firewall to firewall. Corporate home office. And I'm the IT guy. So I can do whatever I want and support whatever I want. The question is what do I want. Well, I have about a dozen or two systems in my house, including a mobile vpn server, site-to-site vpn's with other companies, two windows active directory domains, a few dns zones, and a virtualization infrastructure. While I *can* renumber, it'll cost me about a day's work. So the NAT solution is attractive. _______________________________________________ OpenIndiana-discuss mailing list [email protected] http://openindiana.org/mailman/listinfo/openindiana-discuss
