Network overlap?

altaf007 · ‎08-10-2003

I have 3015 concentrator at HQS and 3002 hardware client at site. We are using 124.15.202.202/16 at concentrator private interfce and 124.15.11.200/16 to hardware client private side.I am running network extension mode on hardware client. My tunnel comes up but i can not ping any thing at HQS private side which is 124.15.x.x/16. When i changed my address scheme at site to 123.x.x.x/16, i am able to ping HQS devices and browse HQS intranet. It works with any address but 124.15.x.x/16. Any idea why i am not able to browse or ping anything at HQS side if i use 124.15.x.x/16 or 24 or etc subnet at site. Thanks

mostiguy · ‎08-10-2003

When you use 124.15.202.202/16 and 124.15.11.200/16 on netblocks on ends of the same vpn tunnel, you are using the same ip netspace in both locations - 124.15.x.x/16. Nothing will travel through the tunnel because all machines will think that all hosts numbered 124.15.x.x/16 are on the local subnet/network, and thus never hit the vpn device.

altaf007 · ‎08-11-2003

I even used different netmask at hardware client private interface side but it still did not work. I used /24 at hardware client. Thanks

mostiguy · ‎08-11-2003

Yes, but that doesn't matter. If you did not change anything on the HQ side, then all hosts there would continue to think that all hosts in the netblock are directly reachable, and thus those packets will not be sent to the default gateway:

1.2.0.0/16

1.2.0.1 is the default gateway. it has a route to the vpn device making the point to point ipsec tunnel.

1.2.0.2 is a server at HQ.

even if you use 1.2.10.0/24 at the remote site, server 1.2.0.2 will think all hosts in that block are directly accessible as a result of *its* subnet mask being /16 (255.255.0.0), and thus will not send packets for them (1.2.10.0/24)to the default gateway.