[Openswan Users] Is this configuration possible??

Gary Danko gdanko at s00p.com
Tue May 17 09:30:31 CEST 2005


> Gary Danko wrote:
>
>>I've done quite a bit of research and I am led to believe my desired
>>configuration is not possible. Have a look at my small ASCII diagram and
>>let me know if you think I can pull this off.
>>
>><--- Begin Diagram --->
>>10.0.0.0/24 (Private HQ network)
>>    |
>>    |
>>10.0.0.1 (Smoothwall 2.0 w/Openswan 1.0.8 GREEN interface)
>>68.xx.xx.34 (Smoothwall RED interface)
>>    |
>>    |
>>Public Internet
>>    |
>>    |
>>209.xx.xx.244 (OpenSwan 2.3.1 on FC3 LeftIP)
>>209.xx.xx.0/24 (OpenSwan 2.3.1 on FC3 LeftSubnet, public COLO network)
>><--- End Diagram --->
>>
>>All of my reading has told me that because my LeftIP and LeftSubnet are
>> on
>>the same network I cannot have a VPN connection between my co-location
>>facility and my HQ's network.
>>
>>Is there a way to facilitate this configration that I have overlooked?
>>I've checked documentation, usenet, the web, forums, and so forth.. I
>>cannot find anything supporting this sort of configuration.
>>
>>Thanks in advance.
>>
>>_______________________________________________
>>Users mailing list
>>Users at openswan.org
>>http://lists.openswan.org/mailman/listinfo/users
>>
>>
>
> I would think there would be some kind of work around...  You probably
> need to have some sort of virtual net interface which pretends to be a
> LAN card and have a LAN IP.  This would seem to be more secure than
> trying to use your Internet IP as the LAN (private) IP on your server @
> the co-lo.  I'm kind of interested in this solution as well, because I
> have 3 servers...it would be nice to be able to access a little bit more
> than what other people can, and do it "directly".  For instance...if I
> wanted to run a Samba share over IPSEC...that'd be great :)  I think
> this is very possible, so keep on looking around for the answer if you
> don't get it here :)  I'm probably going to try to set this up some day
> if possible.
>
> -Phillip
>
>


I tried a variation of what Paul suggested.
I changed the GREEN interface on my Smoothie at the datacenter to
192.168.1.1. I then added a second IP 192.168.1.197 (197 corresponds to
its public IP) to one of my machines at the datacenter. After that I added
a static route on the machine for testing purposes.
10.0.0.0 255.255.255.0 192.168.1.1
My VPN was a success. I can ping, remote desktop, everything back and
forth between the two.

I just need to assign the IP 192.168.1.2 to the router and add a static
route at that level.

So far so good.



More information about the Users mailing list