Network subnet range to wide for vpn

June 23, 2011 at 05:56:54
Specs: win server 2003 and 2008R2, lots
I have a supplier which i need to connect a site to site ipsec vpn connection to (from a draytek router). I have already done this on our main site with no problems using the local ip details of 192.168.1.0 and subnet 255.255.255.0 however i need to do the same on our DR site which uses the ip details of 10.1.0.0 and subnet of 255.255.0.0. Our supplier told me the 255.255.0.0 is already used at there end by a different customer so we are unable to connect the vpn and communicate (in theroy we can connect but our supplier cannot reply). We can setup a connection to another spare server on a different address using a different subnet but effectivly this would mean that communication would stop at that server and communcation to the overall network or specific server the supplier needs access to (on the 10.1.0.0 255.255.0.0 network) is not possible. I was thinking maybe an internal vpn server to server connection through win server may do it, 2 nic cards or routes in the server routing table but this all seems a bit messy. Has anyone got any ideas? our network consits of win 2003 and 2008 R2 servers and is basic network with modem-vpnfirewall-switch and devices on the internal network connecting to the switch. Many Thanks everyone

See More: Network subnet range to wide for vpn

Report •


#1
June 23, 2011 at 06:53:01
jasonoodian you start off talking about the lan side on your end of the site to site vpn. Then you talk about the lan side of the vpn at the dr site.

Usually we talk about the wan ips at each end not lan ips when dealing with a site to site vpn.

" Our supplier told me the 255.255.0.0 is already used [10.1.0.0 and subnet of 255.255.0.0].

Is your supplier serious??? What does the subnet mask have to do with the situation?

That ip range is 16,777,216 ip addresses!!!! 16 million!

surely they have a few to spare

Answers are only as good as the information you provide.
How to properly post a question:
Sorry no tech support via PM's


Report •

#2
June 23, 2011 at 07:10:32
Our supplier has a vpn connected to another customer using the same remote internal network ip and mask details as ourselves, so when the supplier server sends info\packets to 10.1.0.1 for example it will send it to the other customers remote network. The info is not sent to our wan address (because a site to site connection would normally have been established already) Establishing a vpn site to site connection is not the main issue. The supplier server which is behind their vpn firewall and our server which is behind our vpn firewall need to communicate. To do this both vpn firewalls need to be able to communicate with a device behand each one. We would be able to communicate with there server but there server would reply and send the info to the other customers server because of the network details. Many Thanks

Report •

#3
June 23, 2011 at 20:47:59
Sorry jasonoodian it took me a number of reads of your situation to understand what it is you are dealing with.

Any way you can change your site subnet mask? How many servers/pcs/devices are we talking here?

255.255.0.0 gives you 10.1.0.0 - 10.1.255.255

if you were to do

255.0.0.0 gives you 10.0.0.0 - 10.255.255.255
which
10.1.0.0 - 10.1.255.255 is included within.

If you are doing dhcp it would be fairly easy to change the subnet mask [not the ips] for all dhcp devices. Then you would have to manually change on the static assigned as well as update the dns server entries.

A bit labor intensive but it would be a solution

Answers are only as good as the information you provide.
How to properly post a question:
Sorry no tech support via PM's


Report •

Related Solutions

#4
June 24, 2011 at 02:05:32
Many Thanks, i considered this but with 1000 dhcp devices and various servers, virtual servers routers etc, this would be a logistical nightmare (we are a 24hour site) i have however just discovered our firewall can have 2 different ip addresses and subnets assigned to the lan interface so i have done the following, left the already configured address of 10.1.254.1 on the firewall and also configured 192.168.2.1 on the second address for that firewall. Our server has 2 nic cards the first card has been left with its original configuration 10.1.0.4 and the second card has been configured with 192.168.2.12 The supplier now can use 192.168.2.12 to contact the server and everyone else within the network can continue as normal on the 10.1.0.1 address. The 2 nic cards dont need to communicate with each other as the supplier only needs to gain access to a specific application which can also be configured to use a specific nic card (192.168.2..12). There are some connection issues still but i think these are more a vpn 3des authentication configuration issue. Many Thanks for your help though.

Report •

#5
June 24, 2011 at 08:16:31
Excellent solution considering the amount of devices. Thanks for the update and best of luck.

Answers are only as good as the information you provide.
How to properly post a question:
Sorry no tech support via PM's


Report •


Ask Question