[Openswan Users] NAT based upon tunnel (fwd)

Michael Richardson mcr at xelerance.com
Wed Oct 6 15:14:39 CEST 2004


    >> I am confronted with the classic scenario of a VPN WAN with two
    >> branch offices with conflicting IP address space. Normally, we
    >> resolve this problem by NETMAPping one of the sites at the remote
    >> gateway and before the traffic enters the tunnel.  In this case,
    >> we do not have the ability to NAT on the remote site and must
    >> handle the conflict resolution at the head office.

    Paul> Eww. You also cannot remap the other remote side?

  Please plan to renumber the offices.
  Any solution will be a hack, and this is one of the penalties of using
private address space.
  There are solutions that know how to NAT before the tunnel.
  My recommendation is to just use two boxes, and do 1-1 NAT.

  You may find that using vServers, UML or Vmware is also workable.

    Paul> Frankly, I think this is more a management problem then a
    Paul> technical problem.  You have been too nice and should say
    Paul> 'this is not possible, one location must renumber'.

  I concur. You must plan to do this period.

- --
]     "Elmo went to the wrong fundraiser" - The Simpson         |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
] mcr at xelerance.com      http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys


More information about the Users mailing list