[Seattle-SAGE] VPN connections from possibly overlapping networks

Atom Powers atom.powers at gmail.com
Wed May 4 09:03:26 PDT 2005

If you are going to change your address space, which is a good idea, I
recommend researching the rcf 1918 addresses a bit more. Here is an
analysis I just found on rcf 1918 activitity on the root name servers.


Of particular intrest may be the chart about a third of the way down
detailing which addresses are trying to update their DNS. If I were to
readdress my network I'd look at the chart and pick an address range
that appears to be unused.

On 5/4/05, Lee Damon <nomad at castle.org> wrote:
> How hard would it be for you to renumber?  You'll find other problems with
> using the lowest numbered network - everything tends to default to it
> and this can cause issues if someone wanders in with a badly behaved
> SOHO device, for example.
> I'd strongly urge you to move to something well above 192.168.xx.0/24.
> Perhaps a nice
> > Howdy!
> >
> > I just ran into another problem in Sysadmin-land.  Having conquered the
> > dragon of Exchange and set myself up as ruler of my new Exim4/Cyrus castle
> > (yeah, I know, shoulda used postfix -- I'll fix that eventually), I find
> > myself facing a dragon once again:  How to allow my roadwarrior knights in
> > shining armor to connect through our VPN from their internet cafes in
> > Paris, when those internet cafes use the same RFC 1918 private network as
> > I do.  (That would be the unfortunately common private
> > network.)
> >
> > So, I don't trust PPTP (MPPE, in particular), and have decided upon L2TP
> > over IPSec as my VPN lance of choice.  After 8 months of scattered,
> > interrupted, pockmarked, and otherwise gruelling effort, the VPN finally
> > works as intended -- it even uses our universal (LDAPv3) usernames and
> > passwords for authentication (don't ask how unless you REALLY want to
> > know).  I'm connected to it right now, actually, and everything is dandy,
> > because for some reason I set my home network to the slightly non-standard
> > network of (I was young and inexperienced ...  and didn't
> > know that was a valid network).
> >
> > Then I head to Trabant, my favorite internet cafe and chai lounge, and I
> > can connect to the VPN perfectly (IPSec connection is made, L2TP tunnel
> > created, and PPP session established) but exactly ZERO traffic passes
> > through it.  A little investigation reveals that this is because all
> > traffic destined for my company network is considered to be on the local
> > network, and just shunted out the local interface ... and not through the
> > VPN connection.  Of course, this is because Trabant uses the same network
> > as my company,  When connecting from a non-overlapping
> > network, the default route is used for the remote network, and the default
> > route goes through the VPN.  When connecting from an overlapping network,
> > the local subnet route overrides the default route, and the VPN doesn't
> > get touced.
> >
> > Now, the owner of Trabant is actually quite rad, and offered to change the
> > netblock he uses so I wouldn't have this problem while telecommuting from
> > his store, sipping his merchandise while I should be in the office -- but
> > this doesn't solve my larger problem:  My users won't have a clue what's
> > going on, won't WANT a clue what's going on, and will complain at me when
> > it doesn't work from their particular location, and they'll complain
> > especially loudly when they have to call me from Romania (to list the
> > current location of some of our employees) to do this complaining.
> >
> > My query is this:  Short of renumbering my company's internal network to
> > something slightly less standard, is there a way to get this to work?
> >
> > I've considered this for a bit, and I have a solution that will work, but
> > it has to be implemented on the client side, in the VPN client and OS.  I
> > don't want split tunneling (when the machine is connected to the VPN, I
> > want ALL traffic going through that VPN), so if there's a way to make the
> > VPN connection used for everything *except* the VPN traffic itself, that
> > would work splendidly.  This would be akin to using a proxy server for all
> > traffic except proxy traffic itself (*including* local traffic), which I
> > know can be done.  However, I need a way of telling the routing code of
> > the OS to do exactly that.  How?  I have no earthly idea.
> >
> > Cheers!
> > -robin
> >
> > P.S. before anyone brings it up, the VPN server is not behind a NAT (it's
> > the gateway box itself), and WinXP SP2 changed nothing for my setup.
> >
> > --
> >
> >                               Robin  Battey
> >                             zanfur at zanfur.com
> >
> > Messages from this address are signed with key 0x6A57B07D.  Fingerprint:
> >            3914 F63C A99C 8EC1 785B  8287 1D8B D2F3 6A57 B07D
> >
> nomad
>  -----------                       - Lee "nomad" Damon -          \
> play: nomad at castle.org    or castle!nomad                          \
> work: nomad at ee.washington.edu                                       \
>                                                                     /\
> Seneschal, Castle PAUS.                                            /  \
>                 "Celebrate Diversity"                             /    \
> _______________________________________________
> Members mailing list
> members at lists.seattle-sage.org
> http://lists.seattle-sage.org/mailman/listinfo/members

Perfection is just a word I use occasionally with mustard.
--Atom Powers--

More information about the Members mailing list