[Swan] Clashing private IP addresses

Eric Curtin ericcurtin17 at gmail.com
Thu Jun 8 12:03:37 UTC 2017


On 7 June 2017 at 23:08, Paul Wouters <paul at nohats.ca> wrote:
> On Wed, 7 Jun 2017, Eric Curtin wrote:
>
>> I need to connect to multiple clients behind multiple routers from a
>> centos/rhel 6 machine. There are clashing 192.168.0.100, 192.168.0.101
>> addresses... How can I solve this so that I can connect to multiple
>> 192.168.0.100's? I cannot alter the remote private IP addresses.
>>
>> Just wondering, what are my options in this scenario?
>
>
> I'm unsure what your goal is. If your goal is to connect laptops and
> phones to your remote network and currently your problem is they are
> all behind NAT on conflicting/overlapping RFC1918 space, the solution
> is to give those devices an IP from your pool, using either IKEv2 CP
> or IKEv1 XAUTH.
>
> https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv2
> https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv1_XAUTH_with_Certificates
> https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv1_XAUTH_with_PSK
>
> If you are trying to connect subnets which use overlapping RFC1918
> ranges together, you have a much harder task. An IP can really only
> live in 1 place, and you'd have to do a lot of NAT+IPsec to tweak
> it, and you'd end up using hardcoded IPs or weird modified DNS. You
> might need something like:
>
> https://libreswan.org/wiki/Subnet_to_subnet_using_NAT
>
> Paul

+----------------------------+
|                            |
|  Windows                   |
|                            |
|                            |    +------------+
|                            |    |            |
+---------------------+      |    |            |
+-------+                   +-------------+
|                     |      |    |            +-------------------+
Cisco +-------------------+ Some client |
|                     |      |    |            |
+-------+                   +-------------+
| CentOS6 (bridged)   |      |    |  Corporate |
|                     +-----------+  Network   |
10.37.177.3  192.168.1.1         192.168.1.104
| running libreswan   |      |    |            |
|                     |      |    |            |
+-------+                   +-------------+
|                     |      |    |
+-------------------+Juniper+-------------------+ Some client |
+---------------------+      |    |            |
+-------+                   +-------------+
|                            |    |            |
|                            |    +------------+
10.37.177.4  192.168.1.1         192.168.1.104
|                            |
|                            |
|                            |
+----------------------------+

                    16.248.10.231


That diagram should display properly if you use a monospace font to view this.

By the sounds of it, I am stuck with option two that you are referring
to, I would use a configuration like follows to connect to the cisco
based client:

conn cisco
    type=tunnel
    left=16.248.10.231
    leftsubnet=16.248.10.231/32
    leftsourceip=16.248.10.231
    right=10.37.177.3
    rightsubnet=192.168.1.104/32
    rightsourceip=10.37.177.3
    authby=secret
    retransmit-timeout=16s
    ike=aes256-sha1;modp1536
    phase2alg=aes256-sha1;modp1536

But cannot connect to 192.168.1.104 behind the Juniper router at the
same time, using a similar configuration. Client IP addresses are out
of my control.


More information about the Swan mailing list