[Openswan Users] Is this configuration possible??

Paul Wouters paul at xelerance.com
Mon May 16 21:34:53 CEST 2005


On Mon, 16 May 2005, Gary Danko wrote:

> Public Internet
>    |
>    |
> 209.xx.xx.244 (OpenSwan 2.3.1 on FC3 LeftIP)
> 209.xx.xx.0/24 (OpenSwan 2.3.1 on FC3 LeftSubnet, public COLO network)
> <--- End Diagram --->
>
> All of my reading has told me that because my LeftIP and LeftSubnet are on
> the same network I cannot have a VPN connection between my co-location
> facility and my HQ's network.

Not directly no. Just like you cannot deploy a firewall on 209.xx.xx.244 to
protect all of 209.xx.xx.0/24, since the packets do not go *through* your
server on 209.xx.xx.244, but directly to your machines in 209.xx.xx.0/24.

> Is there a way to facilitate this configration that I have overlooked?

You could setup an IP alias on 209.xx.xx.244, for example:

ifconfig eth0:1 192.168.1.244 (if eth0 is your real interface).

Now you can build a tunnel from the remote end to 209.xx.xx.244 for
the subnet 192.168.1.0/24. If you add aliases to your machines in the
/24, you could reach them directly on their internal IP addresses.

Otherwise you can try to run somehow NAT the 192.168.1.Y to 209.xx.xx.Y
through 192.168.1.1, but this will likely only work if you route 10/8
on the 209.xx.xx.0/24 machines via 209.xx.xx.244/192.168.1.244. In fact,
if you add a route to your machines for 10/8 to go to 192.168.1.244, then
you won't need NAT at all.

Do not use the 'ip' command to add IP addresses to the interface, since
openswan cannot handle that way of IP addressing.

If you get something like this to work, I'd be interested to hear about it.

Paul


More information about the Users mailing list