News Group Posts

vpn subnets

From: Jeff Liebermann <jeffl@comix.santa-cruz.ca.us>
Subject: Re: networking with xp
Date: Thu, 15 May 2003 09:25:34 -0700
References: <bfbc8513.0212260801.1688f665@posting.google.com>
<3ec2e375.17005803@news.nildram.co.uk>
<b9r27p$26k$1@titan.btinternet.com>
<1er4cv4qsc931nv4f0lu719lfnabgu7rtg@4ax.com>
<HEw322.15D@wjv.com> 

On Wed, 14 May 2003 18:27:30 GMT, bv@wjv.comREMOVE (Bill Vermillion)
wrote:

>In article <1er4cv4qsc931nv4f0lu719lfnabgu7rtg@4ax.com>,
>Jeff Liebermann  <jeffl@comix.santa-cruz.ca.us> wrote:
>>On Tue, 13 May 2003 15:16:09 +0000 (UTC), Ian Wilson
>><scobloke2@infotop.co.uk> wrote:
>
>>>People who care about IP-addressing pick small IP subnets for small 
>>>physical networks (hence frequent use of 192.168.x/24)
>
>>Before you trivialize the problem, may I suggest you consider a
>>problem I have with such networks.  If you build a router terminated
>>VPN, and BOTH ends use the same Class-C block, there will be problems.
>>All the docs and books warn against using the same Class-C block on
>>both sides, but it happens far too often.  
>
>And doesn't that come because MS uses the 'natural' netmask - eg
>255.255.255.0 instead of the netmask you designate.

Not quite but that's the "solution".  To make it work with identical
class C blocks on both sides of the VPN, one needs:
1.  Different subnets on both sides
2.  Broadcasts traverse over the VPN so that the Windoze browser
functions.
3.  Non-overlapping DHCP ranges to avoid IP duplication.
4.  Different IP's for the various routers.
I've actually done this two or three times and will NEVER do it again.
It works with two terminators on the VPN, but gets seriously confusing
with 3 or more.  I have one system that currently has 5ea VPN routers
that started out this way.  I was trying to avoid renumbering the
entire LAN.  After a few screwups, I gave up, did the airplane thing,
and setup a different class C IP block for each LAN.

I wouldn't blame MS for the problem.  All the vendors (except Netopia)
start out with a netmask of 255.255.255.0 and few warn of the
complications of using all the defaults in a VPN.  Some are just plain
broken.  The SafeNet Windoze VPN client from Sonicwall (5.13 and 8.0)
break badly if you have more than one remote LAN configured to use the
same non-routeable LAN IP block.  Even if you disable the remote VPN
configuration for one remote VPN in an effort to make it work, the
buggy piece of junk software still fails.  I have to use multiple
configuration files for each remote VPN to make this piece of junk
software work (at $75/seat).

To many, sub-net configuration is mysterious and confusing.  I have to
use a cheat sheet to get it straight.  It's not something I would want
to inflict on a total beginner or home user.  Many of my customers are
buying hardware VPN routers so that they don't have to install VPN
client software on all their home PC's.  Methinks sub-netting would be
too difficult for these users.  Just getting them to *NOT* use the
same class C IP block as what's used in the home office is difficult
enough.  I've lost count of how many times I've had to walk them
through that ordeal.  I thank the gods and the IETF for DHCP which
makes such changes relatively painless.

>I first came across this when I had to alias base Cisco address
>with Macs on subnets as the Mac can't have a gateway outside it's
>block.  While you can put a small MS IP block up at the top of the
>range and still use a bottom IP gateway - eg 192.168.30.252
>with a 255.255.255.240 netmask - and use the 192.168.30.1 as a
>gateway.  
>
>I have a VPN setup with no problems spliting a 192.168.0.x
>into two pieces with a 255.255.255.128 netmask.  Cable on one end,
>DSL on the other and only the cable side has fixed IP.  Works
>wonderfully well.

Good idea and that should work.  Also note that almost all the
examples of router terminated VPN's on the Cisco TAS web pile use
radically different blocks of IP's at each LAN.  The example I was
using has 10.0.xxx.xxx on one LAN, and 192.168.xxx.xxx on the other
end.  I don't think it was just for clarity that they did this.

>>A clueless expert buys a pile of routers with hardware VPN and sets
>>them up using the default IP block.  Usually, that's 192.168.0.xxx.
>
>And using the default 255.255.255.0 netmask - instead of changing
>it. ?   Lets all boycott MS for screwing this up.

You'll also have to boycott all the VPN terminating router
manufacturers.  Linksys, Netgear, DLink, Sonicwall, Netscreen, ad
nausium.  They all default to 255.255.255.0.  So does SCO on all their
LAN configs.

-- 
Jeff Liebermann  150 Felker St #D  Santa Cruz CA 95060
(831)421-6491 pgr  (831)336-2558 home
http://www.LearnByDestroying.com   AE6KS
jeffl@comix.santa-cruz.ca.us   jeffl@cruzio.com

Comments?

Jump to Comments

Many of the products and books I review are things I purchased for my own use. Some were given to me specifically for the purpose of reviewing them. I resell or can earn commissions from the sale of some of these items. Links within these pages may be affiliate links that pay me for referring you to them. That's mostly insignificant amounts of money; whenever it is not I have made my relationship plain. I also may own stock in companies mentioned here. If you have any question, please do feel free to contact me.

Specific links that take you to pages that allow you to purchase the item I reviewed are very likely to pay me a commission. Many of the books I review were given to me by the publishers specifically for the purpose of writing a review. These gifts and referral fees do not affect my opinions; I often give bad reviews anyway.

We use Google third-party advertising companies to serve ads when you visit our website. These companies may use information (not including your name, address, email address, or telephone number) about your visits to this and other websites in order to provide advertisements about goods and services of interest to you. If you would like more information about this practice and to know your choices about not having this information used by these companies, click here.