[Swan] Clashing private IP addresses

Eric Curtin ericcurtin17 at gmail.com
Thu Jun 8 20:36:42 UTC 2017 

On 8 June 2017 at 21:00, Paul Wouters <paul at nohats.ca> wrote:
> On Thu, 8 Jun 2017, Eric Curtin wrote:
>
>
>> https://gist.github.com/ericcurtin/18abd507c0a391ba1089742bcd4cc37c
>
>
>>> By the sounds of it, I am stuck with option two that you are referring
>>> to, I would use a configuration like follows to connect to the cisco
>>> based client:
>
>
> I'm still not seeing the entire picture. Does "Some client 1" and "Some
> client 2" need to be able to access things only as a client? Or does
> your network need to be able to initiate to "Some client 1" and initiate
> to "Some client 2" ? This latter is not really possibly, since you would
> need to convey which of the two 192.168.1.104's you want to talk to.
> (You can do this with marking and vti or something but it gets ugly
> fast)
>
> If your network hands out an IP address to Some Client, then you can
> assign those IPs from your own address pool. Then each Some Client gets
> their own non-conflicting IP address. If you pick a non-RFC1918 range
> (eg a /27 from your own valid public range, or from 100.64.0.0/16) then
> you should never have a conflict.
>
> You can then also "split VPN" the client, so they only use that VPN
> connection to talk to one of your subnet ranges.
>
>>> conn cisco
>>>     type=tunnel
>>>     left=16.248.10.231
>>>     leftsubnet=16.248.10.231/32
>>>     leftsourceip=16.248.10.231
>>>     right=10.37.177.3
>>>     rightsubnet=192.168.1.104/32
>>>     rightsourceip=10.37.177.3
>
>
> This combi rightsubnet and rightsourceip won't work.
>
> So I think what I mentioned as the first options would be the one you
> want.
>
> Paul

That combi rightsubnet and rightsourceip is working with the Cisco
RV325 router at present, not with our Juniper one (it's some SRX
model, don't know off the top of my head). We have two listeners on
port 2371 on "Some client" 1 & 2, which the CentOS 6 machine needs to
reach out to. Since you describe techniques such as marking and vti as
ugly, I guess possibly it's not the way to go.

In production, we have a 7 left nodes, so we could potentially just
restrict the number of duplicate ips allowed to the number of nodes on
the left, but this a restriction we may not be able to afford, so we
may have to consider an ugly option.

More information about the Swan mailing list