Lost Connections? Overlapping Subnets may be your culprit
Having trouble connecting to the network when you are on the road? Don’t worry, you are not alone. When traveling, many users report issues to their network administrators stating they cannot access the company’s network. Employees complain that they either had connection and it was dropped; they were connected, but no VPN access; or simply no connection could be made. All of these are common signs of overlapping subnets.
An overlapping subnet is when you establish a connection from the VPN client to another network with the same ‘private IP address range', and an 'overlap' occurs with the addresses. I.e. the hotel router assigns your machine a 'private IP address range', i.e. 192.168.1.0, and this address matches the office’s. When the client connects, it uses the source IP address it currently has, which is the home network. The gateway sees this as an internal (local) address, and thus subnets overlap and deny your VPN connection.
Here is a technical description NCP shared with us:
IPsec includes two negotiation phases; phase 1 authenticates and negotiates a secure channel to set up a Phase 2 tunnel. Phase 1: ‘ISAKMP/IKE’ takes place over UDP500. Once the negotiations have taken place, one or more IPsec tunnel(s) is created in Phase 2 (between the two peers—client and the gateway. Traffic is sent using ESP (Encapsulated Security Payload) Frames, which are not within UDP or TCP, except ESP = IP Protocol 50; something 'parallel' as it were to the aforementioned TCP or UDP. However, if there's a router or firewall in between that performs Network Address/Port Translation (aka Network Address Translation) these packets will either be dropped or modified (modified, meaning tampered with, therefore being dropped by the gateway or client). Some routers/firewalls allow for ‘ESP Pass-through’, meaning these ESP frames will not be dropped and it'll work.
99% of the time there is going to be NAT performed on the packets. In order to circumvent this problem, the ESP frames are wrapped inside UDP packets which may be modified/touched by the routers. Once they arrive at either the two peers, the outer (modified) UDP headers are stripped off, revealing the untouched ESP frames which then can be processed. This UDP encapsulation is called NAT-Traversal or NAT-T.
Back to our original definition, IPsec uses UDP 500 and ESP frames, the latter may be encapsulated within UDP 4500 (or variable; other gateways sometimes use UDP10000).
We will follow up on this topic with solution in a later post—stay tuned.