vpn client from same subnet as remote subnet

donnie · ‎12-12-2010

Hi all,

I have a vpn client whose local subnet 192.168.4.0/24 is the same as the private lan(192.168.4.0/24) of the remote network that he is trying to access.

The following is the behaviour of his vpn connection.

1)he is able to establish vpn connection to the remote network

2)the vpn client ip he obtained is 172.16.0.x/16

3)he is able to access tcp services of the remote private lan(192.168.4.0/24) even though his local subnet is also 192.168.4.0/24

4)it seems he only have problem accessing udp services(software version of ip phone) of the remote private lan(192.168.4.0/24). I install wireshark on his pc and when he launch his softphone trying to connect to the remote pbx there is no related traffic captured by wireshark.

5)if he launch his vpn connection from a local subnet that is not 192.168.4.0/24, his softphone could work fine.

Pls advise how can i solve this so that he can access udp services even when he launch his vpn connection from the same local subnet as the remote private lan. Thks in advance.

Ajit Singh · ‎12-12-2010

Hi Don,

This is a classical example of overlapping networks.In these scenario we do expect inconsistent behaviour with network access (one you are observing currently). We may try to disable split-tunnel (if enabled) else we will have to perform a 1-to-1 NAT for your local-remote network when accessed via VPN.

donnie · ‎12-12-2010

Hi Ajit,

Thk you for your prompt response. But my tcp packets work fine, it seem only the udp is giving problem. I did a test with the vpn client and i could access the web console of the pbx remotely. Pls advise . Thks

Ajit Singh · ‎12-13-2010

Hi Don,

I understand that you are able to send TCP traffic and that is what we ment by "inconsistant behaviour". If you look at the routing table on the client PC, you will find 2 routes to the same subnet, one directly connected and another via VPN client. The best option is to ensure that the remote network is NATed for VPN access.

donnie · ‎12-13-2010

Hi Ajit,

What if the nated ip subnet of the remote network overlap with the ip where vpn client establish the connection. I have many users who travel overseas and stay at different hotels. Then i would have the same problem again?

Ajit Singh · ‎12-13-2010

Hi,

In that case i will suggest you to disable Split-tunnel and ensure that all is tunnelled via VPN. In case you need internet access, use U-turn on the headend.

donnie · ‎12-13-2010

Hi Ajit,

I will try disabling the split tunnelling but have concern that my vpn clients internet traffic will choke up the internet line on the remote end where vpn is established. What do u mean by "U-turn on the headend" ? Is there a configuration for this?

donnie · ‎12-13-2010

Hi Ajit,

I have tried disabling split tunnel but it doesn't resolve the problem. And i notice its not all udp packets that can't get through. DNS resolution works fine over the tunnel.

praprama · ‎12-14-2010

Hi Don,

This is interesting. Routing should not be any different for UDP and TCP or even among different UDP protocols (like DNS, etc.).

I would suggest opening up a TAC case so this can be investigated into further. Do let us know how it goes!

Cheers,
Prapanch