Lost Connections? Overlapping Subnets may be your culprit

Posted: September 15, 2009 in Posts, Troubleshoot

Having trouble connecting to the network when you are on the road?  Don’t worry, you are not alone.  When traveling, many users report issues to their network administrators stating they cannot access the company’s network.  Employees complain that they either had connection and it was dropped; they were connected, but no VPN access; or simply no connection could be made.  All of these are common signs of overlapping subnets.

An overlapping subnet is when you establish a connection from the VPN client to another network with the same ‘private IP address range’, and an ‘overlap’ occurs with the addresses.  I.e. the hotel router assigns your machine a ‘private IP address range’, i.e., and this address matches the office’s.  When the client connects, it uses the source IP address it currently has, which is the home network.  The gateway sees this as an internal (local) address, and thus subnets overlap  and deny your VPN connection.

Here is a technical description NCP shared with us:

IPsec includes two negotiation phases; phase 1 authenticates and negotiates a secure channel to set up a Phase 2 tunnel.  Phase 1:  ‘ISAKMP/IKE’ takes place over UDP500.  Once the negotiations have taken place, one or more IPsec tunnel(s) is created in Phase 2 (between the two peers—client and the gateway.  Traffic is sent using ESP (Encapsulated Security Payload) Frames, which are not within UDP or TCP, except ESP = IP Protocol 50; something ‘parallel’ as it were to the aforementioned TCP or UDP.  However, if there’s a router or firewall in between that performs Network Address/Port Translation (aka Network Address Translation) these packets will either be dropped or modified (modified, meaning tampered with, therefore being dropped by the gateway or client).  Some routers/firewalls allow for ‘ESP Pass-through’, meaning these ESP frames will not be dropped and it’ll work.

99% of the time there is going to be NAT performed on the packets.  In order to circumvent this problem, the ESP frames are wrapped inside UDP packets which may be modified/touched by the routers.  Once they arrive at either the two peers, the outer (modified) UDP headers are stripped off, revealing the untouched ESP frames which then can be processed.  This UDP encapsulation is called NAT-Traversal or NAT-T.

Back to our original definition, IPsec uses UDP 500 and ESP frames, the latter may be encapsulated within UDP 4500 (or variable; other gateways sometimes use UDP10000).

We will follow up on this topic with solution in a later post—stay tuned.

  1. […] Overlapping subnets, roaming across networks and connections dropping shouldn’t be an issue.  Users should be able to use important features, such as two-factor authentication, end-point security software and personal firewalls without any IT knowledge or help desk support.  It should be a matter of a one-click and get connected.  Will a 64-bit IPsec VPN client be enough to meet customers’ remote access needs?  No, and we think you’ll agree. […]

  2. […] [If you’re curious about the technical description of overlapping subnets, we spoke to NCP’s engineering team, Lost Connections? Overlapping Subnets may be your culprit] […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s