VPN addressing advice

D

DistributedBen

Limp Gawd
Joined
Mar 26, 2004
Messages
227
I'm planning options for VPN access for our employees from home. I have setup my machine at home as a test machine and got it working, but my experience is very limited and would like to know if I'm going about this the correct way.

Company Network Info
Static public IP
Internal IP's in the 192.168.0.x range

My question is what, if anything, I need to do to avoid IP conflicts when a user connects via VPN from home? If a user is behind a firewall at home and is given a 192.168.0.x address, will that cause a conflict when connected via VPN. Would it be better to choose a difference address scheme for the VPN address pool?

Thanks
 
It depends on what you are trying to accomplish... And you going for a Network to Network (Site to Site) arraingement (i.e. a permanent connection between their home network and the office network) or a Network to Host setup?

If a Net to Net, then each remote network will have to be on a different subnet like you referred to in your post.

Otherwise, with a Net to Host design, the VPN device at the office will assign and INTERNAL IP address to each client via the client software (or MS's DUN) and it routes like that. This makes the Home subnet irrevalant
 
To avoid complexities and avoid problems in the future I would suggest just moving to another subnet for the VPN if you can. All you need to do is pick something like 10.150.0.0 and you most likely never see a conflict.
 
So since this is a site to host connection (our office and users laptop) once it connects to the VPN, the local IP / network setting doesn't matter? Does this effect the default gateway settings. What happens when they disconnect from the VPN and just use their own Internet connection - it just goes back to "normal."

This machine will travel back and forth from the office and home often and will be the primary machine when at work.

Thanks.
 
Couldn't you also just setup a reservation and make the VPN pool from there?

I'm not too sure about addressing so if someone could clear that up for me, I'd appreciate it.
 
eth00 said:
To avoid complexities and avoid problems in the future I would suggest just moving to another subnet for the VPN if you can. All you need to do is pick something like 10.150.0.0 and you most likely never see a conflict.
Click to expand...

I figured that would be an option, but didn't know if that would bring up any other issues. I will give it a try and see.
 
DistributedBen said:
So since this is a site to host connection (our office and users laptop) once it connects to the VPN, the local IP / network setting doesn't matter? Does this effect the default gateway settings. What happens when they disconnect from the VPN and just use their own Internet connection - it just goes back to "normal."

This machine will travel back and forth from the office and home often and will be the primary machine when at work.

Thanks.
Click to expand...


Pretty much correct. While the VPN is connected, they will be assigned an Office Network IP. The VPN device will route traffic the the individual user based on their PUBLIC IP, so even if to users have the same IP scheme at home it doesn't matter. So for the most part As long and there's never a chance that your office IP scheme and any user's Home IP scheme as the same then you are good to go.

eth00 made a good point as well, set your office IP scheme to a subnet far from the standard 192.168.x.x or 172.16.x.x schemes that are so popular with the SOHO routers. Like Eth said, a 10.0.x.x scheme generally works well.

As an Example, I run a 13 location network using these IP schemes is a site-site setup:
10.0.0.x for the main office
192.168.y.x for each of 12 stores (y is the store number)
As I mentioned earlier, in Site-Site, each subnet matters. There can be NO overlap.


In your case ( Hypothetical)

Office: 10.0.0.x (VPN range: 10.0.0.225-10.0.0.254)

Home user 1: 192.168.0.5 This user connects to the VPN and is assigned an IP in the above range, maybe 10.0.0.225. And the VPN device Routes his traffic back to the PUBLIC IP of the user and lets their home router translate it back into 192.168.0.x Terms.

Home user 2: 192.168.0.5 This user connects to the VPN and is assigned an IP in the above range, maybe 10.0.0.226 (Note the different IP). And the VPN device Routes his traffic back to the PUBLIC IP of the user and lets their home router translate it back into 192.168.0.x Terms.

Home user 1: 192.168.1.2 This user connects to the VPN and is assigned an IP in the above range, maybe 10.0.0.227 (Note the different IP). And the VPN device Routes his traffic back to the PUBLIC IP of the user and lets their home router translate it back into 192.168.1.x Terms.

Make sense? As long as the office IP scheme doesn't match any individual Home IP Scheme, they won't matter.
 
Nate7311 said:
Make sense? As long as the office IP scheme doesn't match any individual Home IP Scheme, they won't matter.
Click to expand...

Ah, this was my confusion to start. So since my network is currently using the 192.168.0.x scheme that is so popular with end user soho routers, do I need to change my whole internal company network, or just the scheme of the VPN address pool?

For example:

Company interal LAN = 192.168.0.x
VPN address pool = 10.10.1.x - 10.10.1.xxx

Home user = gets assigned 10.10.1.50

Will that work?
 
Depending on the VPN Device, it's possible, but... Changing the IP scheme of the office is the best option. The VPN device will need to be advanced enough to be able to have a different IP range defined AND be able to route between the office subnet and the VPN pool subnet.

What device are you planning to use anyway?
 
if you want to use 192.168.x.x then make sure the VPN hands out at the higher end of the scale (200 - 254)

this will only work with if you have a low number of VPN users at the same time

What are the chances that a home network system will use 192.168.x.200 ---> 254?
 
Nate7311 said:
Depending on the VPN Device, it's possible, but... Changing the IP scheme of the office is the best option. The VPN device will need to be advanced enough to be able to have a different IP range defined AND be able to route between the office subnet and the VPN pool subnet.

What device are you planning to use anyway?
Click to expand...

We have a commercial, linux based firewall/router. I'm pretty sure that it can do both of the things you describe.

Office consists of 100+ computers, with no more than 30 users with VPN capabilities.
 
Try it and find out ;) Just make sure it's afterhours so you don't take anyone down during the day.
 
You must log in or register to reply here.
Back
Top