«

Hi everybody,

I was asking about the S2S VPN lately, but have a bit different question
now. What are the industry standards / best practices to securely
connect two company branches? I was thinking of a VPN connection, but it
does not allow one to connect two identical subnets e.g. 10.11.12.0/24
with 10.11.12.0/24. Is there a way to connect two offices via VPN and
reduce or eliminate the possibility of subnet overlap?

Thanks,
AL

ALeu schrieb:

> I was asking about the S2S VPN lately, but have a bit different question
> now. What are the industry standards / best practices to securely
> connect two company branches? I was thinking of a VPN connection, but it
> does not allow one to connect two identical subnets e.g. 10.11.12.0/24
> with 10.11.12.0/24. Is there a way to connect two offices via VPN and
> reduce or eliminate the possibility of subnet overlap?

If you have the same subnet remote and local, it's hard to find a simple
logic for any router to decide where a packet should go to, so you must
NAT both subnets to different subnets outside, with all possible side
effects on protocols that don't like NAT.
No matter if tunneled through a VPN, a leased line or dialup connection.

Only pure IPsec with the old crypto map syntax is kindof restricted.

If you setup GRE tunnel interfaces with IPsec protection, you have
routable interfaces which can also be ip nat inside or ip nat outside.

--
ULi

On Thu, 09 Apr 2009 18:49:41 -0400, ALeu <> wrote:

>Hi everybody,
>
>I was asking about the S2S VPN lately, but have a bit different question
>now. What are the industry standards / best practices to securely
>connect two company branches? I was thinking of a VPN connection, but it
>does not allow one to connect two identical subnets e.g. 10.11.12.0/24
>with 10.11.12.0/24. Is there a way to connect two offices via VPN and
>reduce or eliminate the possibility of subnet overlap?

you can bridge between the 2 sites, and maybe you can get that to work
over a VPN.

However - the real fix is to readdress 1 site.
Badly set up addressing is going to cause you all sorts of problems
down the line, so fix it now rather than try to patch up the side
effects.

>
>Thanks,
>AL
--
Regards

- replace xyz with ntl

On Apr 10, 11:41*am, Stephen <stephen_h...@xyzworld.com> wrote:
> On Thu, 09 Apr 2009 18:49:41 -0400, ALeu <a...@op.pl> wrote:
> >Hi everybody,
>
> >I was asking about the S2S VPN lately, but have a bit different question
> >now. What are the industry standards / best practices to securely
> >connect two company branches? I was thinking of a VPN connection, but it
> >does not allow one to connect two identical subnets e.g. 10.11.12.0/24
> >with 10.11.12.0/24. Is there a way to connect two offices via VPN and
> >reduce or eliminate the possibility of subnet overlap?
>
> you can bridge between the 2 sites, and maybe you can get that to work
> over a VPN.
>
> However - the real fix is to readdress 1 site.
> Badly set up addressing is going to cause you all sorts of problems
> down the line, so fix it now rather than try to patch up the side
> effects.
>
>
>
> >Thanks,
> >AL
>
> --
> Regards
>
> stephen_h...@xyzworld.com - replace xyz with ntl

Site A address 10.10.10.0 /24 Server A 10.10.10.10 Site B 1.10.10.0 /
24

Could use dns, when a host at site B sends traffic to Server A at site
A, the name server directs traffic to 172.21.1.10 via the dns, this
then crosses the ipsec vpn on arrival do a network nat statement
translating the 172.21.1.0 /24 range to 10.10.10.0 /24 this will then
be able to hit the server at 10.10.10.10