[Openswan Users] NAT based upon tunnel (fwd)

[Michael Richardson]

-----BEGIN PGP SIGNED MESSAGE-----


    >> I am confronted with the classic scenario of a VPN WAN with two
    >> branch offices with conflicting IP address space. Normally, we
    >> resolve this problem by NETMAPping one of the sites at the remote
    >> gateway and before the traffic enters the tunnel.  In this case,
    >> we do not have the ability to NAT on the remote site and must
    >> handle the conflict resolution at the head office.

    Paul> Eww. You also cannot remap the other remote side?

  Please plan to renumber the offices.
  Any solution will be a hack, and this is one of the penalties of using
private address space.
  There are solutions that know how to NAT before the tunnel.
  My recommendation is to just use two boxes, and do 1-1 NAT.

  You may find that using vServers, UML or Vmware is also workable.

    Paul> Frankly, I think this is more a management problem then a
    Paul> technical problem.  You have been too nice and should say
    Paul> 'this is not possible, one location must renumber'.

  I concur. You must plan to do this period.

- --
]     "Elmo went to the wrong fundraiser" - The Simpson         |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
] mcr at xelerance.com      http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
  
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBQWQ2DoqHRg3pndX9AQFqqwQAq355EMXQf3Nq4qdR7/4WH45lU1FSmjLU
2EEpAyBdy92y9Vnnv61UT4uuAUw+QYS/exo9vv+6ZB6wuhrgZyjGBfv2L/H8YPEB
EgDoWuznvzjMtCZYV12Xy86Na9nWRC36AOkdt6iq62gZ13CIXi2Yzf52YSMnV90a
Vn8o08EmJi0=
=xfrg
-----END PGP SIGNATURE-----