[Openswan Users] Other side needs different IP / netkey
Paul Wouters
paul at xelerance.com
Wed Mar 3 23:23:52 EST 2010
On Wed, 3 Mar 2010, Tiago Durante wrote:
> I've tried a lot of stuff, but I still can't make a NAT inside the
> tunnel with NETKEY.
>
> Let me explain. I've a network A=192.168.1.0/24. I need to establish a
> tunnel with a firewall that has the network B=10.1.1.0/24. Till here
> everything is fine, the tunnel is up and running.
>
> The problem is that the other firewall needs my network A to be
> A=10.2.2.0/24, because he already has a network 192.168.1.0/24 on his
> firewall.
>
> How can I make it work? :(
Renumering is REALLY the easiest answer. If you really cannot do that,
and sit down somewhere for 15 minutes and really think hard about this,
then you can hack around it.
I recommend using a different machine (or VM) for the NAT. That way,
the IPsec and NAT won't bite, because as far as openswan is concerned
there is only 10.2.2.0/24. You need to use an SNAT rule that's only
triggered when you go to 10.1.1.0/24.
If you also need to access the remote 192.168.1.0/24 from your 192.168.1.0/24
then I suggest a big bottle of vodka, and tell your boss you have to renumber
despite that being impossible. Only if your job is on the line, add another
DNAT for 192.168.2.0/24 => 192.168.1.0/24. But then all rules have to become
interface specific (your nat box does have two (virtual) nic's right) because
otherwise they will clash. You will also have to combine these rules above to
work properly, and I don't even want to think about this more deeply without
getting paid ridicilous amounts of money.
You really just want to renumber. really. Trust me.
Paul
More information about the Users
mailing list