[Swan] Duplicate RightSubnets by Varying LeftSubnets?

Roscio, Steve steve.roscio at hpe.com
Thu Jun 22 18:41:12 UTC 2017


Howdy IPsec masters,

We have a solution that drives LibreSWAN IPsec connections from a small set of central servers out to our customer's environments. Our customers use a variety of IPsec routers (Cisco's, HP's, Juniper's, etc) configured to expose a small /29 or /30 subnet of the customer's internal network, which has the target system(s) we want to reach.

Currently we require that the subnet exposed by each customer be unique. But this is met with resistance, understandably, since many customers use the same internal RFC-1918 private address spaces (10.0.0.0/8, 172.[16-31].0.0/16, 192.168.0.0/16).

Is there a way to create host-to-subnet or subnet-to-subnet IPsec connections where the rightsubnets (customer-side) are the same or overlap? It's my understanding that connections are indexed by the (leftsubnet, rightsubnet) tuple, but when I try this I get "cannot route -- route already in use" errors when I bring up the second+ connection of those with duplicate rightsubnets.

We control the leftsubnets and we can manage a pool of these so we assign a unique leftsubnet to each customer. The left IP address is fixed, as that's our server's public IP; and the customer's right IP is also a given and cannot be changed. Most of these connections will be up at the same time.

Example (fixed-width font, apologies to those with proportional font):

     leftsubnet            left           right          rightsubnet      who
   172.16.0.1/32     === 16.16.16.16 ... 99.99.99.99 === 192.168.0.1/30 cust-00001
   172.16.0.2/32     === 16.16.16.16 ... 12.34.56.78 === 192.168.0.1/30 cust-00002
   172.16.0.3/32     === 16.16.16.16 ... 77.88.99.11 === 192.168.0.1/30 cust-00003
   ...
   172.31.255.254/32 === 16.16.16.16 ... 55.66.77.88 === 192.168.0.1/30 cust-ffffe

In the above, the "left" is the same server, while the right's are all different customer routers/networks.

If this isn't the the correct approach, perhaps NAT-games would help?

Thanx all, any help appreciated!
- Steve

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20170622/4e6a8f69/attachment.html>


More information about the Swan mailing list