[Swan] Duplicate RightSubnets by Varying LeftSubnets?

Paul Wouters paul at nohats.ca
Thu Jun 22 18:47:08 UTC 2017


On Thu, 22 Jun 2017, Roscio, Steve wrote:

> Currently we require that the subnet exposed by each customer be unique. But this is met with
> resistance, understandably, since many customers use the same internal RFC-1918 private address spaces
> (10.0.0.0/8, 172.[16-31].0.0/16, 192.168.0.0/16).
> 
> Is there a way to create host-to-subnet or subnet-to-subnet IPsec connections where the rightsubnets
> (customer-side) are the same or overlap?

Yes, when you use MARKing. You can also combine MARK with VTI
interfaces. See:

https://libreswan.org/wiki/Route-based_VPN_using_VTI

While this will resolve your issue of where to send replies to,
it still requires flows originating from your end to be told
for which target 192.168.1.1 these are meant. You can do that
by MARKing the packets (via iptables, custom kernel module, etc)

Some people build a NAT'ed IP range for their customers, so to
them all their customers appear as unique IPs, then de-NAT these
into the customers real IP's before it hits the IPsec tunnel.

A completely different solution is to use a container/cloud
instance which only contains one customer per instance, so it
will never conflict.

Paul


More information about the Swan mailing list