[Openswan Users] openswan with overlapping subnets

[david coleman]

Thanks for reply
However I have seen that kind of advise before but I need more detail.

I have openswan on a aws Linux box with public ip. So do I set up Nat in that same box and then I use ip tables for the Nat? Or do I set up a new server ? If a new server does it need to be in the same subnet or maybe it needs two ip addresses?

Openswan is in the same subnet as my real servers

When I read the (many) posts about Nat with ip tables there was no example with IPSec traffic apart from some people saying they could not get it to work

If you have any links on actual examples of the Nat with openswan/IPSec that would be great

Thanks
Dave

Sent from my iPhone

On 17 Dec 2015, at 23:54, Daniel Cave <dan.cave at me.com<mailto:dan.cave at me.com>> wrote:

Nat ( network address translation) everything coming out of your network to something they're not using , like to 172.18.101.1 and set that to be your client lan VPN gw

Sent from my iPhone

On 17 Dec 2015, at 19:51, david coleman <david.coleman at promenta.com<mailto:david.coleman at promenta.com>> wrote:

Hello - I have a common problem but I have spent a few hours researching and cannot find the definitive answer.

We are setting up a vpn (site-to-site) to a customer (juniper firewall). We have found that their subnet and our subnet are overlapping.

So our subnet is on 10.180.11.0/24 and theirs is 10.180.0.0/16

We have set up site-to-site vpns using openswan before with success but not with this scenario.

Can we setup the system so that some kind of routing using iptables will make our side look like something that does not overlap like 10.220.11.0/24?

I mean we would leave our internal network alone but put something in openswan/iptables that "translates" or converts how the other side sees our ip address

Diagram:
Their side (10.180.0.0/16) --> Their VPN Firewall (public ip) --> Internet --> our openswan (public) [viewed as 10.220.11.0/24] --> some magic fix to map 10.220.11.0/24 to our "real network" of 10.180.11.0/24 --> our real servers

We actually only have 3 servers to be accessed in our network so if we need to do some setup for each individual ip that is fine

Thanks dave


_______________________________________________
Users at lists.openswan.org<mailto:Users at lists.openswan.org>
https://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20151218/755b04f7/attachment-0001.html>