[Openswan Users] ip conflict question

John A. Sullivan III jsullivan at opensourcedevel.com
Sun Dec 4 00:19:46 CET 2005


On Fri, 2005-12-02 at 12:58 -0800, Trevor Benson wrote:
> > -----Original Message-----
> > From: users-bounces at openswan.org [mailto:users-bounces at openswan.org]
> On
> > Behalf Of Paul Wouters
> > Sent: Friday, November 25, 2005 1:18 PM
> > To: Nick
> > Cc: users at openswan.org
> > Subject: Re: [Openswan Users] ip conflict question
> > 
> > On Fri, 25 Nov 2005, Nick wrote:
> > 
> > > I also got to thinking about another possible ip conflict problem.
> > >
> > > Let's say that one roadwarrior gets an IP of 10.0.0.67, and connects
> to
> > > the ipsec gateway.  All is well for him.
> > >
> > > Then another roadwarrior at some other location gets the same
> internal
> > IP
> > > address of 10.0.0.67.  Now what happens when this user tries to
> connect
> > to
> > > the ipsec gateway?
> > >
> > > One of these (or both) users would be SOL (not sure how openswan
> would
> > > handle duplicate virtual ips).  This seems like it would be unlikely
> > > unless you had a lot of users, but still it could happen.
> > >
> > > I was thinking about the l2tp or dhcp-over-ipsec option to get the
> > > roadwarrior an ip from the LAN, but before any of that can happen
> > doesn't
> > > the underlying ipsec connection (with the possible ip conflict) have
> to
> > > work?  With that assumption, then these other options wouldn't
> really
> > help
> > > with that problem anyway.
> > 
> > That's correct. I believe IKEv2 might fix this, but I'm not sure.
> 
> Wouldn't this just be handled by both of the 10.0.0.67 IP's coming from
> a different NAT device, with a different public IP?
<snip>
In some of our work with the ISCS network security management project
(http://iscs.sourceforge.net), we have found this is an increasingly
common scenario.  With the explosive growth of home wireless networks
connected to broadband Internet connections and most of these devices
never having their default settings changed, lots of users have the
first IP address that Linksys or NetGear provide.

This becomes a problem for use because we dynamically alter the iptables
rules based upon the user's DN in their X.509 cert and cache it against
the IP address.  That's why we were investigating keying it to the
espspi - John
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com

If you would like to participate in the development of an open source
enterprise class network security management system, please visit
http://iscs.sourceforge.net



More information about the Users mailing list