Can two network adapters work in different IP protocols simultaneously?

Flat network with a tunnel in the middle?

I need to set up a VPN between two Juniper Netscreens... with some strange requirements. Is it possible? I work for a company that often requires non standard solutions to...well...non standard problems. This is one of those situations. I am stumped, and it's been blowing my head up a bit, so I'm hoping there is a resident VPN expert somewhere in the hive mind. On one side of the VPN (side 1) we have a device that will ONLY route to the one subnet it knows about. Let's say that's 10.1.1.0/24. That device is a DHCP server. It is not possible to set up routes to anywhere else, from what I am being told by the people in charge at that company. Yes, I have pushed. No, this doesn't make sense to me, but I am told it cannot be changed. On the edge of that 10.1.1.1 network lives a Juniper NS5GT with one interface in the 10.1.1.X network and the other in a 10.1.2.X network, natted out to a public IP on their gateway to the internet. On the other side of the VPN (side 2), indeed, in another country, is a network we have full control of, and on the edge is a Juniper Netscreen. One side has a public IP, the other side has a 172.16.1.X IP address (although this is of our choosing, so it can be changed). We also have a wireless access point and another device connected to the 172.16.1.X network. We need all devices on that network of the Juniper Netscreen to get DHCP addresses assigned to it by the DHCP server at side 1. The tunnel has been set up as a route based VPN. Traffic passes fine from side 2 to the internal IP of the Juniper at side 1. The issue is that from side 2 devices we cannot even PING 10.1.1.1, much less get an IP assigned by it. DHCP relay has been set up on the Juniper at side 2, with the 10.1.1.1 address as its server. But no DHCP traffic is passing through, and indeed, once the traffic hits the Juniper at side 1, it appears to go out to 10.1.1.1 but never returns. Some thoughts I've had but haven't fully fleshed out - Can we set up NAT to somehow NAT all traffic coming in from side 1 to a 10.1.1.X IP? Will that even work? How do we make the Netscreens basically transparent? My boss also brought up the possibility of policy based VPN instead of route based, but I believe with a policy based we will still need routing. Even if we get all the devices on one side of the VPN to get IPs from the DHCP server on the other end - how will it know where to send traffic to which 10.1.1.X IPs? They basically want this to be a flat network design with this VPN hidden in the middle of it. Should I be sourcing the tunnel from the 10.1.1.X interface on the Netscreen at side 1? Do you know of any way to make this work? Yes, I am routergirl, but VPNs on the Junipers are a new thing for me. This, like I said, is blowing up my head. Please help. Even if your solution includes sacrificing a chicken, if it makes this work, I am all ears.
Answer:

Oh, that's too bad. Just so I'm seeing this right, you've got this: clients > JuniperA > vpn > JuniperB > DHCP server DHCPrelay is on JuniperA. DHCP server only has a route to only the same net that JuniperB is attached to? Is the DHCP relay on JuniperA relaying direct to the DHCP server? What is the source address on those relayed DHCP req packets, after they go through the relay and through the VPN? (run a capture in verbose on the interface of JuniperB that connects to DHCPserver's net, and look at the headers of the dhcp request packets, you will see the relay server's address in it, which is where the dhcpserver will reply to). I am guessing that the DHCPserver does see the packets, but the relay server's address is not one that it has a route to.

routergirl at Ask.Metafilter.Com Visit the source

Was this solution helpful to you?

Other answers

Or something from http://www.mikrotik.com/ could end up similarly minimal and unobtrusive and might be easier to set up.

flabdablet

Congratulations! Glad it hear it got sorted.

McCoy Pauley

Well done you. Overcoming PEBKAC issues can be really hard, especially remote ones.

flabdablet

Sorry, things have been hectic here. We ended up doing what I was pushing for from the beginning- on the local side we set up the Netscreen to hand out IPs in our 172.16.1.X range. Then we got them to do what they claimed was "impossible" on the other side (getting a higher level tech always helps!) and set up a route from the 10.1.1.X network to our network on the other side of the tunnel. So - basic tunnel, really. The things complicating this were that on the remote side the DHCP server was a Livebox, which is a device I'm not even remotely familiar with, so I was at the mercy of the people responsible for it. On our side we have a set top cable box, which they said needed to get "configurations" from the Livebox. Turns out all it needed was IP, Mask, GW and DNS, which our Netscreen was perfectly happy to provide. Once the route was in place, it all worked beautifully. So the lesson here for me is that if they are trying to insist you do something that appears impossible, sometimes you have to just put your foot down and say no. Handing out DHCP addresses in a 172.16.1.x network from a 10.1.1.x network? How could that even work? I mean, say the box got a 10.1.1.X IP. But then it would have to traverse the 172.16.1.x network to get BACK to 10.1.1.X. Then how would routing work, if both sides think they're the same network? Also - I dug deeper into the Juniper DHCP relay examples I could find, and in every case they were relaying IPs in a subnet that matched the other side of the VPN. So we could use a DHCP server at remote side, IF it handed out 172.16.1.X IPs. That was when I started pushing harder for the route they said wasn't possible. The turning point was when the guys at our office set up a call to get a status, and the tech we'd been working with on the remote side was out of town, so we got a different one, who happened to be higher. I said, "Look, can you just go over why a DHCP server on our side wouldn't work?" Although the other tech said, "It HAS to be our DHCP server," this guy said, "We might as well try it." We had it all working an hour later. You guys are awesome, and went above and beyond with the suggestions, thoughts, and answers. Thanks to all of you for helping me see this more clearly.

routergirl

I think that's where the problem is (that I see) -- as far as I can tell, the destination address for the DHCP response from the server is being generated from the GIADDR in the original request, not from the source IP on the request packet. So even if the request comes in with a NAT'd source address of 10.1.1.x, but the GIADDR is 172.16.1.x, then the server will put 172.16.1.x as the destination on the response packet, and that's where the routing breaks down. This may depend on the implementation in the particular DHCP server software they're using, but as I read RFC2131, that's the proper behavior, which will cause problems in this case. From RFC 2131, Section 4.1: If the 'giaddr' field in a DHCP message from a client is non-zero, the server sends any return messages to the 'DHCP server' port on the BOOTP relay agent whose address appears in 'giaddr'. Meanwhile, I'm hoping the OP has had some luck solving her problem -- any news, routergirl?

McCoy Pauley

The daemon will happily generate the response packet, but it then needs to hand it off to the host OS' IP stack for delivery, which will drop it instead of putting it on the wire, because it's got no route for the destination. The daemon's happy, but the client's kind of hosed. If the unicast packet was being natted so as to have a (udp header) source of the dhcp server's routable network, then it would be just fine.

Threeway Handshake

McCoy Pauley

And the DHCP server daemon is unaware of a host OS's route, so it doesn't matter.

Threeway Handshake

...which is case 2 above. The server still uses the GIADDR as the destination for the unicast reply, which it can't route.

McCoy Pauley

Related Q & A:

What do we call the "middle" variables in a complex research model?Best solution by Cognitive Sciences
How can I port forward or tunnel a port between ipv4 and ipv6?Best solution by tomatousb.org
How can I stop a player in chess from freezing my game when I am winning in the middle or at the end of a game?Best solution by chess.com
Network into a projector?Best solution by Yahoo! Answers
Picture of a Waterfall in the middle of an ocean?Best solution by Yahoo! Answers

Just Added Q & A:

How many active mobile subscribers are there in China?Best solution by Quora
How to find the right vacation?Best solution by bookit.com
How To Make Your Own Primer?Best solution by thekrazycouponlady.com
How do you get the domain & range?Best solution by ChaCha
How do you open pop up blockers?Best solution by Yahoo! Answers

For every problem there is a solution! Proved by Solucija.

Got an issue and looking for advice?
Ask Solucija to search every corner of the Web for help.
Get workable solutions and helpful tips in a moment.

Just ask Solucija about an issue you face and immediately get a list of ready solutions, answers and tips from other Internet users. We always provide the most suitable and complete answer to your question at the top, along with a few good alternatives below.