[Vpn-help] Client and Remote subnets are the same

[Jeff]

On Mon, Dec 22, 2008 at 11:01 AM, Stefan Bauer <stefan.bauer at plzk.de> wrote:
> Jeff schrieb:
>> We are trying to migrate to a Juniper SSG. We have successfully set up
>> the SSG to accept connections from the Shrew client. However, our
>> office subnet is 192.168.1.0/24, which matches most home networks. We
>> do not yet know for sure that this is the problem, but so far, we have
>> only had success with Shrew/SSG when the client subnet is different.
>> Home users where think that the subnet is the same can establish a
>> connection, but do not pass any useful traffic.
>
> Yes because their routing entries send packets intended for the remote
> lan to their local one. You could limit the remote subnet to a small
> range like:
>
> 192.168.1.200/27 where you could use around 30 hosts inside.
>
> 192.168.1.193 - 192.168.1.222
> network/broadcast is 192.168.1.192/192.168.1.223
>
> Another way is to assign the "roadwarriors" a total different network
> by the ssg and allow traffic by policies.
>

Arrgghh. gmail makes one manually select the list address for replies.
Reposting.

The assigned IP range for the connected clients is indeed different
than the office network, but it's the default local subnet within the
home networks that seems to be the problem. Home Linksys routers
default to 192.168.1.0/24.

I am looking into a NAT solution (make the office net appear as
10.10.1.0/24 for example, but probably make it more obscure so as to
not run into the same problem random free wifi), but that breaks DNS.
Anyone got a solution for translating DNS? I read somewhere that JunOS
automatically translates DNS results when bi-directional NAT is in
effect, but I could not find anything stating the same about ScreenOS
in the SSG.



-- 
Jeff