[Openswan Users] Is this configuration possible??

Phillip T. George phillip at eacsi.com
Tue May 17 11:46:05 CEST 2005 

Gary Danko wrote:

>>Gary Danko wrote:
>>
>>    
>>
>>>I've done quite a bit of research and I am led to believe my desired
>>>configuration is not possible. Have a look at my small ASCII diagram and
>>>let me know if you think I can pull this off.
>>>
>>><--- Begin Diagram --->
>>>10.0.0.0/24 (Private HQ network)
>>>   |
>>>   |
>>>10.0.0.1 (Smoothwall 2.0 w/Openswan 1.0.8 GREEN interface)
>>>68.xx.xx.34 (Smoothwall RED interface)
>>>   |
>>>   |
>>>Public Internet
>>>   |
>>>   |
>>>209.xx.xx.244 (OpenSwan 2.3.1 on FC3 LeftIP)
>>>209.xx.xx.0/24 (OpenSwan 2.3.1 on FC3 LeftSubnet, public COLO network)
>>><--- End Diagram --->
>>>
>>>All of my reading has told me that because my LeftIP and LeftSubnet are
>>>on
>>>the same network I cannot have a VPN connection between my co-location
>>>facility and my HQ's network.
>>>
>>>Is there a way to facilitate this configration that I have overlooked?
>>>I've checked documentation, usenet, the web, forums, and so forth.. I
>>>cannot find anything supporting this sort of configuration.
>>>
>>>Thanks in advance.
>>>
>>>_______________________________________________
>>>Users mailing list
>>>Users at openswan.org
>>>http://lists.openswan.org/mailman/listinfo/users
>>>
>>>
>>>      
>>>
>>I would think there would be some kind of work around...  You probably
>>need to have some sort of virtual net interface which pretends to be a
>>LAN card and have a LAN IP.  This would seem to be more secure than
>>trying to use your Internet IP as the LAN (private) IP on your server @
>>the co-lo.  I'm kind of interested in this solution as well, because I
>>have 3 servers...it would be nice to be able to access a little bit more
>>than what other people can, and do it "directly".  For instance...if I
>>wanted to run a Samba share over IPSEC...that'd be great :)  I think
>>this is very possible, so keep on looking around for the answer if you
>>don't get it here :)  I'm probably going to try to set this up some day
>>if possible.
>>
>>-Phillip
>>
>>
>>    
>>
>
>
>I tried a variation of what Paul suggested.
>I changed the GREEN interface on my Smoothie at the datacenter to
>192.168.1.1. I then added a second IP 192.168.1.197 (197 corresponds to
>its public IP) to one of my machines at the datacenter. After that I added
>a static route on the machine for testing purposes.
>10.0.0.0 255.255.255.0 192.168.1.1
>My VPN was a success. I can ping, remote desktop, everything back and
>forth between the two.
>
>I just need to assign the IP 192.168.1.2 to the router and add a static
>route at that level.
>
>So far so good.
>
>_______________________________________________
>Users mailing list
>Users at openswan.org
>http://lists.openswan.org/mailman/listinfo/users
>  
>

Good news :)  I don't know that adding a second IP would be the best 
idea...guess it shouldn't be a problem as long as you have a few good 
iptables rules.  Theoritically someone could add an IP in the same range 
and have access to your co-lo server AND your other location as 
well...if iptables is not properly set up...  I missed Paul's 
suggestion, so he might of already suggested something of this nature, 
so forgive me if I'm wasting your time :)

-Phillip
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20050517/2fc529ce/attachment.htm

More information about the Users mailing list