[Swan] Clashing private IP addresses
Paul Wouters
paul at nohats.ca
Thu Jun 8 20:00:14 UTC 2017
On Thu, 8 Jun 2017, Eric Curtin wrote:
> https://gist.github.com/ericcurtin/18abd507c0a391ba1089742bcd4cc37c
>> By the sounds of it, I am stuck with option two that you are referring
>> to, I would use a configuration like follows to connect to the cisco
>> based client:
I'm still not seeing the entire picture. Does "Some client 1" and "Some
client 2" need to be able to access things only as a client? Or does
your network need to be able to initiate to "Some client 1" and initiate
to "Some client 2" ? This latter is not really possibly, since you would
need to convey which of the two 192.168.1.104's you want to talk to.
(You can do this with marking and vti or something but it gets ugly
fast)
If your network hands out an IP address to Some Client, then you can
assign those IPs from your own address pool. Then each Some Client gets
their own non-conflicting IP address. If you pick a non-RFC1918 range
(eg a /27 from your own valid public range, or from 100.64.0.0/16) then
you should never have a conflict.
You can then also "split VPN" the client, so they only use that VPN
connection to talk to one of your subnet ranges.
>> conn cisco
>> type=tunnel
>> left=16.248.10.231
>> leftsubnet=16.248.10.231/32
>> leftsourceip=16.248.10.231
>> right=10.37.177.3
>> rightsubnet=192.168.1.104/32
>> rightsourceip=10.37.177.3
This combi rightsubnet and rightsourceip won't work.
So I think what I mentioned as the first options would be the one you
want.
Paul
More information about the Swan
mailing list