[Swan] Clashing private IP addresses
Eric Curtin
ericcurtin17 at gmail.com
Thu Jun 8 15:02:02 UTC 2017
On 8 June 2017 at 13:03, Eric Curtin <ericcurtin17 at gmail.com> wrote:
> On 7 June 2017 at 23:08, Paul Wouters <paul at nohats.ca> wrote:
>> On Wed, 7 Jun 2017, Eric Curtin wrote:
>>
>>> I need to connect to multiple clients behind multiple routers from a
>>> centos/rhel 6 machine. There are clashing 192.168.0.100, 192.168.0.101
>>> addresses... How can I solve this so that I can connect to multiple
>>> 192.168.0.100's? I cannot alter the remote private IP addresses.
>>>
>>> Just wondering, what are my options in this scenario?
>>
>>
>> I'm unsure what your goal is. If your goal is to connect laptops and
>> phones to your remote network and currently your problem is they are
>> all behind NAT on conflicting/overlapping RFC1918 space, the solution
>> is to give those devices an IP from your pool, using either IKEv2 CP
>> or IKEv1 XAUTH.
>>
>> https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv2
>> https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv1_XAUTH_with_Certificates
>> https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv1_XAUTH_with_PSK
>>
>> If you are trying to connect subnets which use overlapping RFC1918
>> ranges together, you have a much harder task. An IP can really only
>> live in 1 place, and you'd have to do a lot of NAT+IPsec to tweak
>> it, and you'd end up using hardcoded IPs or weird modified DNS. You
>> might need something like:
>>
>> https://libreswan.org/wiki/Subnet_to_subnet_using_NAT
>>
>> Paul
>
> +----------------------------+
> | |
> | Windows |
> | |
> | | +------------+
> | | | |
> +---------------------+ | | |
> +-------+ +-------------+
> | | | | +-------------------+
> Cisco +-------------------+ Some client |
> | | | | |
> +-------+ +-------------+
> | CentOS6 (bridged) | | | Corporate |
> | +-----------+ Network |
> 10.37.177.3 192.168.1.1 192.168.1.104
> | running libreswan | | | |
> | | | | |
> +-------+ +-------------+
> | | | |
> +-------------------+Juniper+-------------------+ Some client |
> +---------------------+ | | |
> +-------+ +-------------+
> | | | |
> | | +------------+
> 10.37.177.4 192.168.1.1 192.168.1.104
> | |
> | |
> | |
> +----------------------------+
>
> 16.248.10.231
>
>
> That diagram should display properly if you use a monospace font to view this.
>
> By the sounds of it, I am stuck with option two that you are referring
> to, I would use a configuration like follows to connect to the cisco
> based client:
>
> conn cisco
> type=tunnel
> left=16.248.10.231
> leftsubnet=16.248.10.231/32
> leftsourceip=16.248.10.231
> right=10.37.177.3
> rightsubnet=192.168.1.104/32
> rightsourceip=10.37.177.3
> authby=secret
> retransmit-timeout=16s
> ike=aes256-sha1;modp1536
> phase2alg=aes256-sha1;modp1536
>
> But cannot connect to 192.168.1.104 behind the Juniper router at the
> same time, using a similar configuration. Client IP addresses are out
> of my control.
gmail butchered that diagram:
https://gist.github.com/ericcurtin/18abd507c0a391ba1089742bcd4cc37c
forgot to cc the mailing list
More information about the Swan
mailing list