[Swan] Clashing private IP addresses
Eric Curtin
ericcurtin17 at gmail.com
Thu Jun 8 12:03:37 UTC 2017
On 7 June 2017 at 23:08, Paul Wouters <paul at nohats.ca> wrote:
> On Wed, 7 Jun 2017, Eric Curtin wrote:
>
>> I need to connect to multiple clients behind multiple routers from a
>> centos/rhel 6 machine. There are clashing 192.168.0.100, 192.168.0.101
>> addresses... How can I solve this so that I can connect to multiple
>> 192.168.0.100's? I cannot alter the remote private IP addresses.
>>
>> Just wondering, what are my options in this scenario?
>
>
> I'm unsure what your goal is. If your goal is to connect laptops and
> phones to your remote network and currently your problem is they are
> all behind NAT on conflicting/overlapping RFC1918 space, the solution
> is to give those devices an IP from your pool, using either IKEv2 CP
> or IKEv1 XAUTH.
>
> https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv2
> https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv1_XAUTH_with_Certificates
> https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv1_XAUTH_with_PSK
>
> If you are trying to connect subnets which use overlapping RFC1918
> ranges together, you have a much harder task. An IP can really only
> live in 1 place, and you'd have to do a lot of NAT+IPsec to tweak
> it, and you'd end up using hardcoded IPs or weird modified DNS. You
> might need something like:
>
> https://libreswan.org/wiki/Subnet_to_subnet_using_NAT
>
> Paul
+----------------------------+
| |
| Windows |
| |
| | +------------+
| | | |
+---------------------+ | | |
+-------+ +-------------+
| | | | +-------------------+
Cisco +-------------------+ Some client |
| | | | |
+-------+ +-------------+
| CentOS6 (bridged) | | | Corporate |
| +-----------+ Network |
10.37.177.3 192.168.1.1 192.168.1.104
| running libreswan | | | |
| | | | |
+-------+ +-------------+
| | | |
+-------------------+Juniper+-------------------+ Some client |
+---------------------+ | | |
+-------+ +-------------+
| | | |
| | +------------+
10.37.177.4 192.168.1.1 192.168.1.104
| |
| |
| |
+----------------------------+
16.248.10.231
That diagram should display properly if you use a monospace font to view this.
By the sounds of it, I am stuck with option two that you are referring
to, I would use a configuration like follows to connect to the cisco
based client:
conn cisco
type=tunnel
left=16.248.10.231
leftsubnet=16.248.10.231/32
leftsourceip=16.248.10.231
right=10.37.177.3
rightsubnet=192.168.1.104/32
rightsourceip=10.37.177.3
authby=secret
retransmit-timeout=16s
ike=aes256-sha1;modp1536
phase2alg=aes256-sha1;modp1536
But cannot connect to 192.168.1.104 behind the Juniper router at the
same time, using a similar configuration. Client IP addresses are out
of my control.
More information about the Swan
mailing list