Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
421
Views
0
Helpful
3
Replies

VPN Client to remote site with same address space

jims88
Level 1
Level 1

‎05-05-2004 06:35 AM - edited ‎02-21-2020 01:08 PM

I am trying to establish a vpn using the VPN client from inside my network to a subconsultant's site's VPN Concentrator. The tunnel is established, but I can't send any traffic. Both sites use the 172.16.0.0 255.240.0.0 network, but I've created a VLAN for this machine that uses the 10.0.0.0 network.

The destination address is on the 172.17.100.0 subnet. Would the VPN client encapsulate this and use the VPN Concentrator's external address for a destination instead? Instead the traffic is being dropped at the edge of my network, so no encapsulation.

Anyone have any ideas?

Thanks,

Jim

Labels:
0 Helpful
3 Replies 3

llascare
Level 1
Level 1

‎05-10-2004 10:02 AM

What is the IP address being assigned to the VPN client. If you don't have split tunneling enabled on the VPN client, then you won't have an overlapping situation. Make sure that the Concentrator is enabling "IPSec over NAT-T", since the VPN client is most likely behind a device doing NAT.

0 Helpful

jims88
Level 1
Level 1
In response to llascare

‎05-11-2004 11:08 AM

The IP address assigned to the client is 172.16.80.x. Unfortunately, the Concentrator is the subconsultants, not mine so I can't disable split tunneling, and it's not something they want to do. NAT-T is turned on. The VPN Client is on my network, so yes it is behind a NAT device.

I'm unclear how the IPSEC header gets contructed, I think. Outbound is working, the problem is traffic coming back into my network. The destination address in the IPSEC header from the Concentrator should be the public address at my NAT boundary, right? Then my firewall would de-NAT to a private address, but does it use the VPN Client address or the ethernet address of the client machine? If it uses the VPN Client address, then would I need to do an alias in my PIX to route that traffic? I've already created a VLAN for this machine on the 10.0.0.0 network, would aliasing 172.16.80.0 to 10.0.0.0 potentially resolve this?

0 Helpful

jims88
Level 1
Level 1
In response to jims88

‎05-11-2004 12:50 PM

All is now right with the world, I don't think they had nat-t on last night, but now it works!

Thanks for the help!

0 Helpful
Customers Also Viewed These Support Documents