[Openswan Users] Same subnets on both ends

Marc McGuinness mailing-list at mcguinness.de
Tue May 30 01:31:10 CEST 2006

Hello again,

Norman Rasmussen wrote the following on 29.05.2006 20:59:
> On 5/29/06, Marc McGuinness <mailing-list at mcguinness.de> wrote:
>> I was asked to configure VPNs for several subnets. Unfortunately I've
>> got two large subnets with the same ip range.
>> Example:
>> --- --- internet --- ---
>> I can't just renumber one end as there would be many difficulties
>> involved, especially political ones (responsiblities).
>> Is there a good way of getting the VPN to work without renumbering a
>> subnet?
> If I remember correctly you can do this.
> You'll want to NAT network to and
> network to - or similar assuming no other
> conflicts.


> The easiest way is to probably use NAT on both networks.  That way
> when anyone else wants to access those networks they use the 'new'
> numbering, but the NAT translates into the addresses.
> (both networks do 1 set of NAT)

What you say is that all I have to do is to enter this rule for source
NAT on the VPN gateways:

iptables -t nat -A POSTROUTING -s -o ipsec0 -j SNAT \

Is that correct?

Is it possible to use ipsec0 in a postrouting rule? I've checked the
Openswan book and it says on page 96:

"If there is an IP conflict, it is possible to do some
NAT on them (outside the VPN tunnel, not inside!) but it might turn out
to be more costly and problematic than just renumbering one end,
especially if this is an end user's home network."

What does it mean, when it says "outside the VPN tunnel, not inside"?

> Alternatively you could only use NAT on one of the networks.  Then you
> have to nat the current network _and_ the conflicting network's IPs -
> one network does 2 sets of NAT.

Sorry, but I don't have a clue what you mean. Why do I have to do 2 sets
of NAT, when I only use NAT on one of the networks?


PGP: http://mcguinness.psychology4u.de/public.txt

More information about the Users mailing list