问题讨论，如果vpn两端的客户端地址段相同怎么做？

商务车

如果vpn两端的客户端地址段相同怎么做vpn？比如说两个公司的地址段都是192.68.2.x/24，这时候如果做vpn的话，怎么解决这个问题？


btw，游神，我记得Juniper是有这种解决方案的，但是别说要花钱你才肯说啊...

[ 本帖最后由 商务车 于 2012-6-14 16:17 编辑 ]

夜游神

矮油 两端都做double nat么~~~
这个和哪个厂商的设备灭有任何关系

Over lapping LAN layer3 addressing issue at both end can be fixed by double NAT~~~The best practise此外和两个站点直接的链路模式灭有关系 可以是任何模式的链路
(monkey06)

商务车

怎么做double nat？google了一下，double NAT指的是在一个网络里有两个设备同时做NAT，这样好像不能解决异地的问题。

夜游神

Google不是这么Google的
Customer A LAN:192.168.2.0/24
Customer A WAN/Internet Routable:203.202.101.0/24

Customer B LAN:192.168.2.0/24
Customer B WAN/Internet Routable:123.231.101.0/24

如果是Private WAN的话（不是logical secured tunnel over Internet）
Customer Gateway A:
For traffic outbound from A ==> B;   souce nat 必须的 nating pool直接选择WAN/Internet Routable
For traffic incoming from B ==> A;   destination nat 必须的 nating pool可以选择LAN range/你自己定义的private range (Souce NAT可有可无）

Customer Gateway B:
For traffic outbound from B ==> A; souce nat 必须的 nating pool直接选择WAN/Internet Routable
For traffic incoming from A ==> B; destination nat 必须的 nating pool可以选择LAN range/你自己定义的private range (Souce NAT可有可无）

如果是走IPSEC或者是GRE over IPSEC
Customer A:
For traffic outbound from A ==> B; souce nat & destination nat 必须的
For traffic incoming from B ==> A; destination nat 必须的; souce nat可有可无

Customer B:
For traffic outbound from B ==> A; souce nat & destination nat 必须的
For traffic incoming from A ==> B; destination nat 必须的; souce nat可有可无

商务车

老大你这个水平还去考什么ccie啊，现在已经能拿到至少15w一年了吧

夜游神

我只会NAT~~别的都不怎么懂么~~~只懂NAT~~一年可以有15万么？？？
速速雇佣我 速速~~~

superblue

Easy... 把一端先NAT再加密就可以了，你去查一查你用设备的order of operation, NAT后面才是VPN tunnel

我用Cisco IOS-XE, 应该IOS也可以。

[ 本帖最后由 superblue 于 2012-6-14 19:48 编辑 ]

richsea

Because both networks use the same internal IP addressing, it is not possible to simply build a
tunnel between the two sites. However, if the tunnel endpoints on both sides are Juniper services routers, it
is possible to configure a tunnel between these sites with an advanced configuration using NAT. It is
important to understand this basic routing dilemma. If a host is attached to a network, say 10.0.0.0/24, and
the other device on the remote end is attached to a network using the same IP address subnet, it is not
possible to build a tunnel and route the traffic to the other device without some sort of address translation.
This is because all packets are routed based on the destination IP address. Before routing occurs, a
determination must be made as to whether the destination IP is on the same (local) network or not. If the
destination IP is on the same network, say 10.0.0.10, the destination device is found using Address
Resolution Protocol (ARP). However, if the destination IP resides on a different network, the packet is sent
to the next- hop router based on the device's routing table. Because both the local and remote networks
share the same IP addressing scheme, the packets will be handled locally and never route to the VPN
tunnel. To work around this, we can perform static NAT on the source IP and destination IP of all traffic
destined for the remote network at the other end of the tunnel. For this reason, aroute based approach to
IPsec VPNs makes sense, because the creation of a "virtual" network interface on each services router by
way of a "secure tunnel" or "st0" interface is required. It is important to note that in this case the both source
and destination addresses are translated as the packet traverses the VPN tunnel to the end host. Thus the
services routers at each end of the tunnel must contact each other using a newly created IP network.

Juniper的做法：

http://www.juniper.net/techpubs/ ... es-configuring.html

[ 本帖最后由 richsea 于 2012-6-24 17:38 编辑 ]

墨市开心

既然一家公司，谁规划的IP地址，这么扯淡，为撒子要地址一样撒？改了地址从新设计

bulaohu

俺这个外行也知道是NAT两次 具体就不会了

楼上的，这种情况多发生于acquisation / merger之后，特别是如果A公司的网管曾经也是B公司的网管的情况

商务车

原帖由 bulaohu 于 2012-6-15 23:55 发表
俺这个外行也知道是NAT两次 具体就不会了

楼上的，这种情况多发生于acquisation / merger之后，特别是如果A公司的网管曾经也是B公司的网管的情况

两个公司合并，合并之前的所有内网地址相同

richsea

Because both networks use the same internal IP addressing, it is not possible to simply build a
tunnel between the two sites. However, if the tunnel endpoints on both sides are Juniper services routers, it
is possible to configure a tunnel between these sites with an advanced configuration using NAT. It is
important to understand this basic routing dilemma. If a host is attached to a network, say 10.0.0.0/24, and
the other device on the remote end is attached to a network using the same IP address subnet, it is not
possible to build a tunnel and route the traffic to the other device without some sort of address translation.
This is because all packets are routed based on the destination IP address. Before routing occurs, a
determination must be made as to whether the destination IP is on the same (local) network or not. If the
destination IP is on the same network, say 10.0.0.10, the destination device is found using Address
Resolution Protocol (ARP). However, if the destination IP resides on a different network, the packet is sent
to the next- hop router based on the device's routing table. Because both the local and remote networks
share the same IP addressing scheme, the packets will be handled locally and never route to the VPN
tunnel. To work around this, we can perform static NAT on the source IP and destination IP of all traffic
destined for the remote network at the other end of the tunnel. For this reason, aroute based approach to
IPsec VPNs makes sense, because the creation of a "virtual" network interface on each services router by
way of a "secure tunnel" or "st0" interface is required. It is important to note that in this case the both source
and destination addresses are translated as the packet traverses the VPN tunnel to the end host. Thus the
services routers at each end of the tunnel must contact each other using a newly created IP network.

lingyang

cisco网站上有样板文档，
IPsec Between Two IOS Routers with Overlapping Private Networks Configuration Example
http://www.cisco.com/en/US/produ ... 86a0080a0ece4.shtml