[Swan] Clashing private IP addresses

Eric Curtin ericcurtin17 at gmail.com
Thu Jun 8 15:02:02 UTC 2017 

On 8 June 2017 at 13:03, Eric Curtin <ericcurtin17 at gmail.com> wrote:
> On 7 June 2017 at 23:08, Paul Wouters <paul at nohats.ca> wrote:
>> On Wed, 7 Jun 2017, Eric Curtin wrote:
>>
>>> I need to connect to multiple clients behind multiple routers from a
>>> centos/rhel 6 machine. There are clashing 192.168.0.100, 192.168.0.101
>>> addresses... How can I solve this so that I can connect to multiple
>>> 192.168.0.100's? I cannot alter the remote private IP addresses.
>>>
>>> Just wondering, what are my options in this scenario?
>>
>>
>> I'm unsure what your goal is. If your goal is to connect laptops and
>> phones to your remote network and currently your problem is they are
>> all behind NAT on conflicting/overlapping RFC1918 space, the solution
>> is to give those devices an IP from your pool, using either IKEv2 CP
>> or IKEv1 XAUTH.
>>
>> https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv2
>> https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv1_XAUTH_with_Certificates
>> https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv1_XAUTH_with_PSK
>>
>> If you are trying to connect subnets which use overlapping RFC1918
>> ranges together, you have a much harder task. An IP can really only
>> live in 1 place, and you'd have to do a lot of NAT+IPsec to tweak
>> it, and you'd end up using hardcoded IPs or weird modified DNS. You
>> might need something like:
>>
>> https://libreswan.org/wiki/Subnet_to_subnet_using_NAT
>>
>> Paul
>
> +----------------------------+
> |                            |
> |  Windows                   |
> |                            |
> |                            |    +------------+
> |                            |    |            |
> +---------------------+      |    |            |
> +-------+                   +-------------+
> |                     |      |    |            +-------------------+
> Cisco +-------------------+ Some client |
> |                     |      |    |            |
> +-------+                   +-------------+
> | CentOS6 (bridged)   |      |    |  Corporate |
> |                     +-----------+  Network   |
> 10.37.177.3  192.168.1.1         192.168.1.104
> | running libreswan   |      |    |            |
> |                     |      |    |            |
> +-------+                   +-------------+
> |                     |      |    |
> +-------------------+Juniper+-------------------+ Some client |
> +---------------------+      |    |            |
> +-------+                   +-------------+
> |                            |    |            |
> |                            |    +------------+
> 10.37.177.4  192.168.1.1         192.168.1.104
> |                            |
> |                            |
> |                            |
> +----------------------------+
>
>                     16.248.10.231
>
>
> That diagram should display properly if you use a monospace font to view this.
>
> By the sounds of it, I am stuck with option two that you are referring
> to, I would use a configuration like follows to connect to the cisco
> based client:
>
> conn cisco
>     type=tunnel
>     left=16.248.10.231
>     leftsubnet=16.248.10.231/32
>     leftsourceip=16.248.10.231
>     right=10.37.177.3
>     rightsubnet=192.168.1.104/32
>     rightsourceip=10.37.177.3
>     authby=secret
>     retransmit-timeout=16s
>     ike=aes256-sha1;modp1536
>     phase2alg=aes256-sha1;modp1536
>
> But cannot connect to 192.168.1.104 behind the Juniper router at the
> same time, using a similar configuration. Client IP addresses are out
> of my control.

gmail butchered that diagram:

https://gist.github.com/ericcurtin/18abd507c0a391ba1089742bcd4cc37c

forgot to cc the mailing list

More information about the Swan mailing list