Re: [Openvpn-users] Potential problems with overlapping networks ?

[Michael Hale <michaelh@xxxxxxxxxxxxxxxx>]

Hi Christian,

I have a similar problem and I was wondering if you ever received an 
answer to your question.  I have asked similar questions on the list 
without receiving a single response so I am guessing that either nobody 
here knows how to get this working or it is not possible to get 
overlapping subnets to work together.

- Michael


On Jun 29, 2004, at 1:10 PM, Christian Røsnes wrote:

> Hello
>
> I'm curious as to whether there are any potential problems with a 
> roadwarrior
> OpenVPN setup where there are local (private) subnets/addresses on 
> both sides
> of the tunnel which overlap. (Eg 192.168.0/24 are used on both sides)
>
> Q:
> Has anyone experienced any problemes with a OpenVPN roadwarrior setup
> and overlapping local (private) subnets ?
>
> I'm assuming the following roadwarrior setup
> (figure best viewed with a fixed width font):
>
>  -----
>  |PC1| LAN1
>  -----
>    |<pc1 - 192.168.1.5>
>    |                      ======>           LAN1
>    |<fw1 - 192.168.1.1>
>  -----
>  |FW1| (OPENVPN server - TUNNEL ENDS HERE)
>  -----
>    |<public - fw1>
>    |
> INTERNET
>    |
>    |<public - fw2>
>  -----        ------
>  |FW2|--------|PC2B| 192.168.1.5 (same local address as PC1, same lan 
> as PC2A)
>  -----        ------
>    |<fw2 - 192.168.1.1>
>    |                      ======>           LAN2
>    |<pc2a - 192.168.1.2>
>  ------
>  |PC2A| (roadwarrior client - TUNNEL ENDS HERE)
>  ------
>
> PC2A connects to the public address of FW1.
>
> Since PC2A is a roadwarrior, there's no guarantee that the local ip 
> addresses
> of LAN2 (PC2A) does not overlap with those of LAN1 (PC1).
> (Eg. 192.168.1.0/27 on both sides)
>
>
> Q:
> What if PC2A  is in need of connecting (simultaneously) to a machine 
> on LAN2
> (eg. PC2B - see figure) and a machine on LAN1 (eg. PC1 - see figure), 
> both
> which share the same local address (eg. 192.168.1.5). And TCP/IP is 
> used
> for both connections.
>
> How will PC2 know which is which of PC1 and PC2B ?
> (PC2 sees this as an ip conflict maybe?)
>
> Won't this be a potential problem, unless some sort of natting is 
> hiding
> the real local (private) address of one of the LANs ?
>
> If natting is advisable, should the natting be done for the machines 
> on the
> serverside (behind FW1 in the figure above) ?
>
> I read in the OpenVPN FAQ that network which overlap in private 
> address range
> should use natting (eg. iptables NETMAP)
> Eg:
> iptables -t nat -A PREROUTING -d 192.168.0.0/24 -j NETMAP --to 
> 192.168.1.0/24
> Q:
> Is this type of natting adviceable for _all_ roadwarrior setups, or is 
> it
> unnecessary, when using either briding or routing ? (And assuming that 
> the
> roadwarrior person has not got the knowhow to make any changes to the 
> openvpn
> client configuration themselves - so it's preferrable that it just 
> plain
> works in "most" situations)
>
> Thanks
> Christian
>
>
> -------------------------------------------------------
> This SF.Net email sponsored by Black Hat Briefings & Training.
> Attend Black Hat Briefings & Training, Las Vegas July 24-29 -
> digital self defense, top technical experts, no vendor pitches,
> unmatched networking opportunities. Visit www.blackhat.com
> _______________________________________________
> Openvpn-users mailing list
> Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
> https://lists.sourceforge.net/lists/listinfo/openvpn-users

Michael Hale
Software Engineer
CipherOptics Inc.

701 Corporate Center Drive
Raleigh, NC 27607
T (919) 865-0671
F (919) 233-9751
michael.hale@xxxxxxxxxxxxxxxx


____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users