Multiple VPNs/same subnet on destination LAN

Archived from groups: comp.security.firewalls (More info?)

I need to create VPNs with several trading partners. I've encountered
a limitation of my SonicWALL Pro 200 in that only one destination
network can have a given network/subnet. For example, if both Trading
Patner A and Trading Partner B use 192.168.1.0/24 on their LAN
interace, then I will only be able to create the VPN to one of them.
I understand the basic issue--how would my firewall know which trading
partner LAN to send the traffic to. However, I can't very well ask my
trading partners to renumber their internal networks. SonicWALL's new
software called SonicOS can handle this situation, but it isn't
available for my model.

Does this situation exist for other firewall brands? Is there a
workaround? Are there other firewall appliances such as PIX geared to
small/mid-sized enviroments that don't have this limitation?

Thanks for your advice.

Archived from groups: comp.security.firewalls (More info?)

In article <508609fe.0406092118.74e32933@posting.google.com>, dac56
@hotmail.com says...
> I need to create VPNs with several trading partners. I've encountered
> a limitation of my SonicWALL Pro 200 in that only one destination
> network can have a given network/subnet. For example, if both Trading
> Patner A and Trading Partner B use 192.168.1.0/24 on their LAN
> interace, then I will only be able to create the VPN to one of them.
> I understand the basic issue--how would my firewall know which trading
> partner LAN to send the traffic to. However, I can't very well ask my
> trading partners to renumber their internal networks. SonicWALL's new
> software called SonicOS can handle this situation, but it isn't
> available for my model.
>
> Does this situation exist for other firewall brands? Is there a
> workaround? Are there other firewall appliances such as PIX geared to
> small/mid-sized enviroments that don't have this limitation?

It's a routing problem and you are going to have to ask them to change
their subnets or you won't be able to get around it.

--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)

Archived from groups: comp.security.firewalls (More info?)

"Coop" <dac56@hotmail.com> wrote in message
news:508609fe.0406092118.74e32933@posting.google.com...
> I need to create VPNs with several trading partners. I've encountered
> a limitation of my SonicWALL Pro 200 in that only one destination
> network can have a given network/subnet. For example, if both Trading
> Patner A and Trading Partner B use 192.168.1.0/24 on their LAN
> interace, then I will only be able to create the VPN to one of them.
> I understand the basic issue--how would my firewall know which trading
> partner LAN to send the traffic to. However, I can't very well ask my
> trading partners to renumber their internal networks. SonicWALL's new
> software called SonicOS can handle this situation, but it isn't
> available for my model.
>
> Does this situation exist for other firewall brands? Is there a
> workaround? Are there other firewall appliances such as PIX geared to
> small/mid-sized enviroments that don't have this limitation?
>
> Thanks for your advice.

NetScreen Firewall/VPN devices support VPNs between sites with overlapping
addresses. You create virtualized VPN tunnel "interfaces" for each of the
site-to-site VPN tunnels, and then you create MIPs (Mapped IPs) for each
tunnel interface that will translate addresses going in and out. It can even
work when >you< are on the same 192.168.1.x subnet just like, say, the other
5 sites you are tunneling to are. NetScreen devices can also support
multiple, configurable "virtual routers" which might also be useful in weird
routing scenarios.

Alec

Archived from groups: comp.security.firewalls (More info?)

On Thu, 10 Jun 2004 23:39:20 +0200, Wolfgang Kueter
<wolfgang@shconnect.de> wrote:
>
>shopping.nowthor.com wrote:
>
>> On Thu, 10 Jun 2004 11:49:51 GMT, Leythos <void@nowhere.com> wrote:
>>>
>>>It's a routing problem and you are going to have to ask them to change
>>>their subnets or you won't be able to get around it.
>>>
>>
>> Another idea would be to run NAT on the virtual interface created by
>> the tunnel.
>
>One you start to NAT an IPSec you run into problems.
>

The idea is to NAT before ESP/AH happens.