[Openswan Users] overlapping networks with nat-t

Marco Berizzi pupilla at hotmail.com
Thu Jan 19 12:03:16 CET 2006


Paul Wouters wrote:

>On Wed, 18 Jan 2006, Marco Berizzi wrote:
>
> > I have successfully deployed NAT-T on my various
> > linux 2.6 (netkey) gateways with OSW 2.4.4. It's
> > working good with Windoze XPsp2. Now, mobile
> > users are able to connect to my private lan (which
> > is a 172.16.0.0/23) from others company private
> > networks. My osw box is also tunnelling ipsec traffic
> > from/to a (very common) 192.168.1.0 network. This
> > prevent roadwarriors which are connected to a
> > 192.168.1.0 network to connect to my network. I
> > cannot change any network ip address. Is there any
> > solution to this problem? DHCP over IPsec? Does
> > windows XPsp2 support it?
>
>an ugly hack is to setup a tunnel for another range,
>eg 127.168.1.0/24 and then run SNAT / DNAT on the
>packets. Be careful not to NAT the ipsec packets

are you telling that should I modify the tunnel to my
company branch office to anything else than 192.168.1.0
so roadwarriors from other network company with that
class would connect (and then playing with SNAT/DNAT)?

>though. This will be very hard using netkey.

Not now. Patrick McHardy patches has been in the
mainline kernel since 2.6.15-git5. With a recent
iptables snapshot version there is a new 'policy
match' which allow very granual control over ipsec
packets. For anyone who is interested see: 
https://lists.netfilter.org/pipermail/netfilter-devel/2006-January/023002.html




More information about the Users mailing list