Using a private IP address with a VPN

Factual Questions
1

Pinging all network admins:

This seems so obvious to me, that I’m kinda scratching my head, wondering what I’m missing.

Here’s the deal.

I’m trying to configure a site-to-site VPN with Partner X.

My network: 200.200.200.0/24
My FW/VPN device: 200.200.200.1

Partner X’s FW/VPN device: 100.100.100.1

Partner X is presumably NATing everything behing that firewall. Assuming we’ve got the configurations matched up, everything’s copacetic, right?

Wrong.

Partner X is telling me that if the VPN is configured correctly, I should be able to ping one of their hosts in the 10.0.0.0/24 range.

Come again?

Yeah. 10.0.0.0/24.

Now, I’m kinda new to this, but looks suspiciously like a reserved address. I suppose I could set up a static route, but that leads me to a couple of GQs, and one IMHO:
[ul]
[li]Is there any standard site-to-site VPN configuration where that makes sense?[/li][li]Doesn’t that completely break RFC 1918?[/li][li]Routing issues aside, isn’t it a big, fat, security exposure?[/li][li]Assuming my instincts about all of this are right, what’s the best way to tell a fellow firewall admin that he’s, uh, completely and totally off base?[/li][/ul]

I’m totally prepared to be told that I don’t know what I’m talking about, here. I’ve only done maybe sixty of these configs, and I’ve only really got experience with PIXes and Checkpoint boxes; Partner X is on a completely different platform.

Anybody care to straighten me out?

Thanks.

PS: All addresses were changed to protect the guilty, natch.

2

Crap. That was supposed to be GQ. Sorry.

3

Uh, I don’t see the problem here.

You are, apparently, one of those rare souls who have an entire subnet of “real” IP addresses for themselves. I assume you are a university or something?

Your partner, like most of the world, does not have this luxury: they have just one public IP address (100.100.100.1), or maybe a few more, but their internal network uses 10.x.y.z addresses.

The 10.0.0.0/24 range is indeed a reserved one, and they are using it exactly for the purpose for which it is reserved: to create an internal network without needing to give every host in that network a public IP. This not only helps with the fact that the world is rapidly running out of IPv4 address space, but it also increases security: a box which is simply not addressable from outside is pretty difficult to crack, even if their firewall were to somehow fail to do its job.

4

I guess I wasn’t clear enough:

They want me to address that 10. address from outside.

I’m looking at the IKE phase 2 key right (they initiated the key exchange), and it’s for my (externally addressable, but firewalled) subnet and their 10. subnet.

They’re acting like I should somehow be able to get to a 10. host directly.

5

Oh, and to answer the questions:

Yes. In fact, this is the normal situation as far as I am aware: both sites use one of the RFC1918 reserved address ranges internally, use a public IP for their firewall/VPN/router machine, and set up static routes to each other’s address space. Things get VERY messy, by the way, when both sites use the same reserved IP range, but that does not seem to be the issue here.

No, your partner is doing exactly what RFC 1918 tells them to do. 10.x.y.z is one of the three reserved address ranges described by RFC 1918 (the others are 192.168.x.y and 172.16.x.y).

No, if done properly it considerably improves security, as described in my previous post. What kind of threat are you thinking of?

n/a

6

Ah. Then I did indeed not understand you correctly, because when you wrote

, I assumed that you meant "after setting up the VPN, so that our two networks are connected through a private virtual link, you should be able to ping the internal machines in our network. That seems perfectly logical, and I can’t think what else they would mean. Are you sure that isn’t what they meant?

7

I think I see where my conceptual problem is.

Virtually all of my experience with this comes from the perspective of configuring VPNs for strict client/server stuff. We’re always the server side, so all I ever expect to see is a partner’s natted and/or externally addressable clients. No static routing is necessary, because the clients are always externally addressable, in one or another.

What they’re doing is acting like the networks are directly connected, necessitating the static routes, etc. Since we’re never going to be making any requests to any of their hosts, I basically set it up one way.

I guess I can understand why you’d do it that way for remote sites within one organization, but I figured they’d want to NAT for an external partner.

You’ve clarified it for me. Now I’ve just gotta clear it with the boss, since this isn’t SOP for us.

8

Glad I could help, good luck!