VPN gateways I know of are routing traffic. You could maybe throw heavy NAT artillery at it.
The requirement would need a VPN solution that has direct access to the internal VLANs and allow to assign the user to a specific VLAN directly without routing.
One of the issues here is that we’re not quite at the stage where everything including firewalls would be user-based which would make the IP less important.
How do people do this? Do they do it at all? Why (not)?
If users need to have the same IP on the VPN at home as they would at the office, then they should use the VPN at the office. This is by far the simplest way to achieve what you need. (And not too uncommon in secure networks).
How do people do this? Do they do it at all? Why (not)?
They don’t, I don’t think I’ve ever considered doing something like this for an employee VPN. Is this some kind of application that’s using IPs to identity/authenticate users?
How do people do this? Do they do it at all? Why (not)
They don’t. Not usually. Because it would generally require the vpn interface to have the same macaddress as the normal nic or some other tom fuckery.
The requirement would need a VPN solution that has direct access to the internal VLANs and allow to assign the user to a specific VLAN directly without routing.
Generally achieved by bridging the vpn provider interface onto the lan vlan… But the requirement for the ip between vpn/lan to be the same adds a wrench or three to the client config…
If you require IPs to “authenticate” that is not authentication at all. In order to meet that requirement you should setup a jump box on the LAN with the magic IP address that all users can initiate their session from. So you’d have users connected to the vpn with internal IP 192.168.0.X/24. They could then RDP/SSH to the jump box on the “secure” network of 10.0.0.X/24. From there they could connect to the stupid mainframe that uses IP “authentication” on the same 10.0.0.Y/24 network.
Yup, you need a layer 4 something between the LAN and VPN subnets, and the router for those. You can also do this with some VPN solutions, e.g. Cisco, Fortinet.
What about two IPs per device? You can lock in who gets what with DHCP reservations, and without the NAT headache.
IPv6 kinda lends itself to this…
You CAN do this with L2TP VPN and an appliance that can use the same subnet for office and the clients ip addresses when on VPN. Then you just enable proxy arp on the office network.
I have done this on Mikrotik. Mikrotik can share the same IP-pool with VPN and DHCP. It works just fine, minimal configuration.
If users need to have the same IP on the VPN at home as they would at the office, then they should use the VPN at the office.
I’m not sure if that would be a great idea performance-wise, especially when many people are at the office. Generally the LAN should be experienced as superior both in bandwidth and in latency compared to VPN.
Not sure what you mean. Routing can’t route the same destination to multiple places. It’s either the LAN or the VPN. Even if you were to somehow translate the VPN IPs to the LAN IPs, routing would still send the replies to the LAN. Unless it knew which was a NATed session and which was not. Not sure about that, didn’t go that far and try.
Generally achieved by bridging the vpn provider interface onto the lan vlan… But the requirement for the ip between vpn/lan to be the same adds a wrench or three to the client config…
Right, but enterprise VPN solutions don’t seem to work that way. NAC can throw you in a VLAN. VPN apparently can’t, though solutions like OpenVPN can provide both TUN(L3) and TAP(L2) connections.
Not sure if the same IP on LAN interface and VPN would pose a problem. The mobile device can be only at the office (DHCP assigns Office-LANIP), or at home (DHCP assigns Home-LANIP and VPNGW assigns Office-LANIP address to VPN interface).
But I get the message. People don’t do anything like this ^^