VPN IP Range Question

[TwiceSliced]

Trying to get a basic VPN set up from an SBS 2003 machine. Everything works, but there's a catch; my predecessor designed the network to use 192.168.1.x as the internal IP range, which causes a problem if the client's home network is also on that range (a.k.a. if the client is using any consumer Linksys/Cisco router's default settings). Since having clients using that range reconfigure their home networks is too much of a hassle and re-addressing the entire network is a little overwhelming at the moment, might anyone be able to suggest a work-around?

At the very least, I want to connect to the server and access shared folders. If the remote network's IP range is anything other than 192.168.1.x, I can just go to \\192.168.1.x\NameOfSharedResource\ and all is well. If the remote network's IP range is 192.168.1.x, then \\192.168.1.x\NameOfSharedResource\ doesn't work.

I'd like to be able to implement a workaround on the server side.

Or...

The only reason I'm doing this is because our executive director's laptop was recently formatted and Windows XP was installed using a disc with SP3 slipstreamed onto it, effectively breaking Microsoft's Remote Web Workplace. I've tried a number of workarounds for that problem, but they all assume that RWW was accessed prior to the installation of SP3. Such workarounds do not seem to solve the problem if SP3 has been slipstreamed into the installer. Any bright ideas?

Thanks.

 

[Crusty]

If you're handing out routers to send home with clients to use to connect to work with a VPN just pre-configure them with the correct network ranges before it leaves the office.

If you're using the Cisco/Windows VPN clients then it doesn't matter what local range their computer is using because the client will create a new network interface and assign it an IP your VPN endpoint assigns it.

If you're relying on the clients to configure the VPN tunnel on their end then require them to use a registered IP addresses for the endpoint and traffic, that will eliminate the problem with overlapping remote networks.

 

[RebateMonger]

This is a common mistake made by those who've never installed SBS before. You have to work to get it wrong, since the SBS Install Wizard suggests 192.168.16.xxx. I use a different IP range for every SBS install.

DON'T change the IP range for the SBS network manually!!!!! You'll thoroughly mess up the entire SBS install. Use the Wizard in SBS to "Change Server IP Address". It's located in the "Manage Internet and E-Mail" section. It takes a minute or so if you do it with the Wizard. And hours to fix if you do it manually. You'll have to manually reconfigure any printers or other devices with static IP addresses.

You can, of course, change the IP range of the home IP network, too. But you'll have the problem again with the next remote VPN client.

 

[TwiceSliced]

Originally posted by: Crusty
If you're handing out routers to send home with clients to use to connect to work with a VPN just pre-configure them with the correct network ranges before it leaves the office.

I am not handing out routers.

Originally posted by: Crusty
If you're using the Cisco/Windows VPN clients then it doesn't matter what local range their computer is using because the client will create a new network interface and assign it an IP your VPN endpoint assigns it.

What do you mean by Windows VPN client? I'm using Windows XP's built-in VPN connection wizard. It gets a new IP from the server, but because the ranges of both the client and server networks are 192.168.1.x, the client can't seem to access server resources. This is the problem I'm trying to remedy.

Originally posted by: Crusty
If you're relying on the clients to configure the VPN tunnel on their end then require them to use a registered IP addresses for the endpoint and traffic, that will eliminate the problem with overlapping remote networks.

Can you explain what you mean by registered IP address, and how I would be able to leverage that? Also, what if the client doesn't have a static IP address?

Originally posted by: RebateMonger
This is a common mistake made by those who've never installed SBS before.

Ergh, I know... As I already mentioned, I was hired to clean up someone else's mess :

Again, I'd like to avoid changing the IP range of our network because manually reconfiguring all of the printers 'n firewall hardware 'n such would be a huge hassle at this point, and we need to be running from 5:30am to 10:00pm, seven days a week.

 

[bobdole369]

"I'd like to be able to implement a workaround on the server side. "

Change your entire corporate networks IP scheme. It sucks. How many offices, servers, cpu's are you talking about? DHCP???

Use something off the wall like I did - 192.168.112.0/21 Or you could even use 192.168.1.0/23 which would effectively tell the NIC's to use the gateway like they are supposed to instead of trying to connect locally, if you have a bunch of hard wired IP's in applications and what not to change.



"Again, I'd like to avoid changing the IP range of our network because manually reconfiguring all of the printers 'n firewall hardware 'n such would be a huge hassle at this point, and we need to be running from 5:30am to 10:00pm, seven days a week. "

Woops missed this bit, and I seem to remember this thread........

It's the most appropriate fix to the problem. It also likely involves the most work, and the most problems come monday.

 

[TwiceSliced]

Originally posted by: bobdole369
Woops missed this bit, and I seem to remember this thread........

It's the most appropriate fix to the problem. It also likely involves the most work, and the most problems come monday.

Exactly. I was just hoping that there would be some kind of DNS workaround, or a way to translate/spoof IP addresses... Guess not

And yeah, I've recently started similar threads at HardOCP and other such sites, so you may have seen it elsewhere before.

 

[kevnich2]

This is why you don't implement 192.168.1.0 or 192.168.0.0 IP address schemes for business networks. The best way will be to change your corporate IP address scheme and while your doing that, change your printers and other devices to DHCP and tell the SBS server to assign it the same IP address every time, makes problems like this very easy to fix.

 

[Mogadon]

Bear in mind there are best practice IP ranges that are reserved for private networks and should be used depending on your situation:

10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255

http://www.faqs.org/rfcs/rfc1918.html

 

[Fardringle]

192.168.0.0 doesn't necessarily work for situations like this, though, since several manufacturers default their consumer routers to 192.168.0.1. I prefer 172.16.x.x or 10.x.x.x since I've never seen a router that defaults to those so it's highly unlikely that there will be a conflict with home users on VPN.

 

[RebateMonger]

Originally posted by: Fardringle
I prefer 172.16.x.x or 10.x.x.x since I've never seen a router that defaults to those so it's highly unlikely that there will be a conflict with home users on VPN.

The old Cisco 675 and 678 DSL modem/routers defaulted to 10.10.x.x/32 and were used by many DSL IPS. But those aren't made anymore.

 

[Mogadon]

I've come across some present day comcast branded routers that use 10.1.10.1 as their default IP, i'm not sure of the precise model.