0

I want to ping from a computer located in SITE C to computers in SITE A and SITE B within the topology.

One of my biggest challenges here is determining how to establish an overlay network over the WAN.

Another challenge is that the network infrastructures in SITE A and SITE B share the same IP blocks, and I cannot change them. For example, when I want to access the computer in SITE A and ping 192.168.1.100, the same IP exists in SITE B. How can I configure this network without causing any IP conflicts? What VPN technologies can I use to overcome these problems?

 SITE A SITE B [PC] [PC] 192.168.1.0/24 192.168.1.0/24 | | [Router] [Router] | | 192.168.2.0/24 192.168.2.0/24 | | [Router] [Router] | | 172.16.11.0/24 172.12.12.0/24 \ / \ / \ [ WAN ] / \________________________________/ | 172.11.10.0/24 | [Router C] | 192.168.3.0/24 | [PC] SITE C
Improve this question

2 Answers 2

Reset to default
1

One of my biggest challenges here is determining how to establish an overlay network over the WAN.

Your three site will need a total of three tunnels in between. A full mesh with n nodes requires n * (n-1) / 2 links. You could get away with two, but then one site would need to relay between the unconnected sites.

Another challenge is that the network infrastructures in SITE A and SITE B share the same IP blocks, and I cannot change them.

Using NAT to make ambiguous addressing work is a PITA, so I'd reconsider. While your at it, 172.11.10.0/24 and 172.12.12.0/24 are not private - check RFC 1918.

If you do want to use NAT, the basic scheme is this:

  • you use an alias subnet to address any remote subnet with conflicting addresses, e.g.
    • 192.168.201.0/24 for site A/192.168.1.0
    • 192.168.202.0/24 for site A/192.168.2.0
    • 192.168.211.0/24 for site B/192.168.1.0
    • 192.168.212.0/24 for site B/192.168.2.0
  • on site A's VPN router, you destination NAT ingress from the tunnels: 192.168.201.x to 192.168.1.x
  • also on A's VPN router, you source NAT egress into the tunnels: 192.168.1.x to 192.168.201.x

and so on, until all conflicting addresses are translated and hidden away from the conflicting subnets. All translations should be static, 1:1. No need for a stateful NAT table.

Improve this answer
0

VPN can use Network Address Translation to overcome that design problem.

Here is an example.

Improve this answer
2
  • Thank you. I will review the page, but I am thinking about where to configure the VPN in this scenario. I do not have direct access from Site C to the networks (192.168.2.0 and 192.168.1.0) at Site A and B. I need to set up an overlay network, but I am stuck on how to proceed. Commented Dec 4, 2024 at 16:06
  • You configure the VPN on whatever device you have access to which will have the ability to host the VPN. The specifics depend on the equipment and actual networks involved. I see no need for any kind of overlay network if you just want to setup VPN connections. If you want to address overlay networks in general or the specifics of the actual equipment and networks in a real deployment, you need to make a new question with those details. Commented Dec 4, 2024 at 22:35

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.