[Openswan Users] ip conflict question

Paul Wouters paul at xelerance.com
Fri Nov 25 07:33:51 CET 2005


On Thu, 24 Nov 2005, Nick wrote:

> I am trying to get a VPN working such that a road-warrior will work no
> matter where they are at.
>
> For example I can come up with the following situation:
>
> The network at work is 192.168.0.0/24.
>
> A laptop user is at a hotel with internet access, which assigned him a
> 192.168.0.100/24 ip address via dhcp.

> Is there any way to get around that problem, or will it just never be able
> to work?

It will just not work. The only 100% working solution is to use real
unique IP address space inside the company network, or at least as
you "VPN IP space pool". For example, say that you request space and
get a.b.c.0/24 assigned to you. Use this as the LAN range on your VPN,
it will never conflict with other people's LAN. If you don't want to
deal with this strange range inside your company, you can always NAT
it one to one, eg a.b.c.0/24 <==> 192.168.13.0/24 and then your
internal company can keep using 192.168.0.0/16 for access control.

caveat: your VPN'ed machines could become exposed to real IP, and
the VPN gateway might need to firewall those (or AS blackhole the
traffic)

Other solutions that might work most of the time:

- Pick an RFC1918 that is hardly in use as your office address space
  (eg 10.254.254.0/24) [now don't all start using this]

- Pick a pseudo bogus range, eg 128.0.0.0/24 as your VPN internal range.

- Pick put your VPN server in a small /30 range outside of private
  space IP and use NAT.

If all else fails, wait for IPv6 :)

Paul


More information about the Users mailing list