VPN 192.168.1.X Problem

andyb28 · 28th August 2008

Hi Guys,

Can anyone offer up some advise on a problem we have.

Our customer has a site with a VPN, their internal lan runs on 192.168.1.X
We can change that as it's now going to be too much work.

Their VPN is on a live IP, which gives access to 192.168.1.X Lan, the problem is if any of the home workers have their own local lan of 192.168.1.X (Which is the default for most home networks, their own routers see the closest device instead of the tunnel end point)

This hasn't been a problem until now, 3 users now have BT's Home Hub and as far as I can see there is no way of changing the default IP range for home hub.

I have a couple of older Cisco routers if there is a way to route this, if not, any other suggestions would be most welcome

The VPN is run on a Draytek if that makes any difference?

Thanks
Andy

markcastle · 28th August 2008

Personally I always prefer to migrate to a new range in that scenario - a lot of work yes, but often it can be a good opportunity to get decent DHCP setup at the same time. There probably are other more elegant methods, i'm sure i've come across them before, but the brain is blank on that one tonight.

AdamC · 28th August 2008

We use un-popular IP ranges for our local LANs where VPNs connect in (10.32.164.x, 172.20.0.x etc...)

Rebuke · 28th August 2008

You could do some sort of static NAT mapping, e.g. map on your VPN gateway 192.168.2.0/24 from the VPN clients point of view, to 192.168.1.0/24 on the actual LAN.

How you do it depends on exactly what VPN endpoint you're using, I know the Juniper netscreen boxes can do this, and obviously if you're using something such as OpenVPN you could do it through iptables. The problem then is making things actually useful to the VPN client, as obviously internal DNS would still resolve the 192.168.1.X IPs, so you'd need to do some sort of separate view onto your DNS server to return IPs in the other range.

Overall, it's probably less work to move the LAN to a different subnet however....

PeteK · 28th August 2008

What is the VPN endpoint. If its Cisco there is an way solution based on routing.

andyb28 · 28th August 2008

Its nothing so fancy, Draytek 2800G

SynergyWorks · 29th August 2008

We've had this problem over and over again - right pain in the arse as we manage some rather large VPNs spanning many sites.

I know it doesn't help, but the only easy solution is an unpopular IP range on the local LAN.

Its the one thing I like about IPv6 - enough IPs that this kind of clash shouldn't happen in the future.

freethought · 29th August 2008

Fortinet and Check Point (Cisco too I think, can't remember, I have no intention of ever touching aa PIX/ASA again!) let you allocate virtual IPs to the connected software clients that you can then route on to the local LAN to prevent exactly this happening.
No idea if Draytek boxes supports this, as it's a fairly cheap and chearful deviceprobably running Linux and racoon/openswan then I suspect not.

So your choice would seem to be time (re-IP everything) or money (buy a better VPN box

)

othellotech · 29th August 2008

Quote:

Originally Posted by SynergyWorks

Its the one thing I like about IPv6 - enough IPs that this kind of clash shouldn't happen in the future.

There are enough v4 addresses that it needn't happen,

Sadly, user, hardware manufacturer, and software author stupidity isnt going to get solved by having more ips ...

andyb28 · 29th August 2008

Thanks for the tips guys, looks like we will be setting a new IP range on the LAN.

It's going to be a royal pain, but I guess thats the sensible option here.

Karl · 29th August 2008

One of the reasons the RFCs recommend not starting at X.Y.1.0 etc. and starting at a random point and going up or down from there as needed, to try and avoid clashes - sadly hardly anyone bothers. Was quite a discussion on NANOG about it recently.

aguk · 29th August 2008

DrayTek 2800G here for our office VPN. We started at 192.168.182.x to avoid any such problems in the future.

danfoster · 29th August 2008

Quote:

Originally Posted by AdamC

We use un-popular IP ranges for our local LANs where VPNs connect in (10.32.164.x, 172.20.0.x etc...)

Obviously not that un-popular, our SAN network runs on 172.20.0.0/23 :P

BurtyB · 29th August 2008

Depending on what protocols they're using could you give the BT home hub users a different subnet for the VPN and then NAT it back into your regular range?

ChrisB.

AdamC · 29th August 2008

Quote:

Originally Posted by danfoster

Obviously not that un-popular, our SAN network runs on 172.20.0.0/23 :P

Haha - I bet you don't have much on 10.32.164.x tho

Fortunately, I don't think I'll need to connect to our VPN from your SAN