<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css" style="display:none;"><!-- P {margin-top:0;margin-bottom:0;} --></style>
</head>
<body dir="ltr">
<div id="divtagdefaultwrapper" style="font-size:12pt;color:#000000;font-family:Verdana,Geneva,sans-serif;" dir="ltr">
<p></p>
<div>
<p>Howdy IPsec masters, <br>
</p>
<p><br>
</p>
<p>We have a solution that drives LibreSWAN IPsec connections from a small set of central servers out to our customer's environments. Our customers use a variety of IPsec routers (Cisco's, HP's, Juniper's, etc) configured to expose a small
<a title="/29" class="file">/29</a> or <a title="/30" class="file">/30</a> subnet of the customer's internal network, which has the target system(s) we want to reach.
<br>
</p>
<p><br>
</p>
<p>Currently we require that the subnet exposed by each customer be unique. But this is met with resistance, understandably, since many customers use the same internal RFC-1918 private address spaces (10.0.0.0/8, 172.[16-31].0.0/16, 192.168.0.0/16).
<br>
</p>
<p><br>
</p>
<p>Is there a way to create host-to-subnet or subnet-to-subnet IPsec connections where the rightsubnets (customer-side) are the same or overlap? It's my understanding that connections are indexed by the (leftsubnet, rightsubnet) tuple, but when I try this I
get "cannot route -- route already in use" errors when I bring up the second+ connection of those with duplicate rightsubnets.
<br>
</p>
<p><br>
</p>
<p>We control the leftsubnets and we can manage a pool of these so we assign a unique leftsubnet to each customer. The left IP address is fixed, as that's our server's public IP; and the customer's right IP is also a given and cannot be changed. Most of these
connections will be up at the same time. <br>
</p>
<p><br>
</p>
<p>Example (fixed-width font, apologies to those with proportional font): <br>
</p>
<p><br>
</p>
<p><span style="font-size: 12pt;"></span><span style="font-family: "Courier New",monospace;"><span style="font-family: "Courier New",monospace;"> </span><span style="font-family: "Courier New",monospace;">leftsubnet left right
rightsubnet who</span></span><br>
<span style="font-family: "Courier New",monospace;"> </span><span style="font-family: "Courier New",monospace;"><span style="font-family: "Courier New",monospace;"> </span><span style="font-family: "Courier New",monospace;">
</span><span style="font-family: "Courier New",monospace;">172.16.0.1/32 === 16.16.16.16 ... 99.99.99.99 === 192.168.0.1/30 cust-00001</span></span><br>
<span style="font-family: "Courier New",monospace;"> 172.16.0.2/32 === 16.16.16.16 ... 12.34.56.78 === 192.168.0.1/30 cust-00002</span><br>
<span style="font-family: "Courier New",monospace;"> 172.16.0.3/32 === 16.16.16.16 ... 77.88.99.11 === 192.168.0.1/30 cust-00003</span><br>
<span style="font-family: "Courier New",monospace;"></span></p>
<div style="padding-left: 30pt"><span style="font-family: "Courier New",monospace;"> ...
</span></div>
<span style="font-family: "Courier New",monospace;"> 172.31.255.254/32 === 16.16.16.16 ... 55.66.77.88 === 192.168.0.1/30 cust-ffffe</span><br>
<br>
<p>In the above, the "left" is the same server, while the right's are all different customer routers/networks.
<br>
</p>
<p><br>
</p>
<p>If this isn't the the correct approach, perhaps NAT-games would help?<br>
</p>
<p><br>
</p>
<p>Thanx all, any help appreciated! </p>
<p>- Steve </p>
</div>
<br>
<p></p>
</div>
</body>
</html>