[Openswan Users] openswan with overlapping subnets

kwaye kant gabrielkwaye at gmail.com
Fri Dec 18 07:10:11 EST 2015


Just to know without trolling the post.

I also have an instance on Amazon. I am acting like client in the
connection with the remote.

Why should I need NAT ? Why is it important ?

I have followed this guide here
https://github.com/xelerance/Openswan/wiki/Amazon-ec2-example

2015-12-18 9:28 GMT+01:00 david coleman <david.coleman at promenta.com>:

> Thanks for reply
> However I have seen that kind of advise before but I need more detail.
>
> I have openswan on a aws Linux box with public ip. So do I set up Nat in
> that same box and then I use ip tables for the Nat? Or do I set up a new
> server ? If a new server does it need to be in the same subnet or maybe it
> needs two ip addresses?
>
> Openswan is in the same subnet as my real servers
>
> When I read the (many) posts about Nat with ip tables there was no example
> with IPSec traffic apart from some people saying they could not get it to
> work
>
> If you have any links on actual examples of the Nat with openswan/IPSec
> that would be great
>
> Thanks
> Dave
>
> Sent from my iPhone
>
> On 17 Dec 2015, at 23:54, Daniel Cave <dan.cave at me.com> wrote:
>
> Nat ( network address translation) everything coming out of your network
> to something they're not using , like to 172.18.101.1 and set that to be
> your client lan VPN gw
>
> Sent from my iPhone
>
> On 17 Dec 2015, at 19:51, david coleman <david.coleman at promenta.com>
> wrote:
>
> Hello – I have a common problem but I have spent a few hours researching
> and cannot find the definitive answer.
>
>
>
> We are setting up a vpn (site-to-site) to a customer (juniper firewall).
> We have found that their subnet and our subnet are overlapping.
>
>
>
> So our subnet is on 10.180.11.0/24 and theirs is 10.180.0.0/16
>
>
>
> We have set up site-to-site vpns using openswan before with success but
> not with this scenario.
>
>
>
> Can we setup the system so that some kind of routing using iptables will
> make our side look like something that does not overlap like
> 10.220.11.0/24?
>
>
>
> I mean we would leave our internal network alone but put something in
> openswan/iptables that “translates” or converts how the other side sees our
> ip address
>
>
>
> Diagram:
>
> Their side (10.180.0.0/16) à Their VPN Firewall (public ip) à Internet à
> our openswan (public) [viewed as 10.220.11.0/24] à some magic fix to map
> 10.220.11.0/24 to our “real network” of 10.180.11.0/24 à our real servers
>
>
>
> We actually only have 3 servers to be accessed in our network so if we
> need to do some setup for each individual ip that is fine
>
>
>
> Thanks dave
>
>
>
>
>
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
>
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>



-- 





*------------------------------------------------------------------------------------------------------------------------------------------------Kwaye
KantSkype: g.kwaye(00) 237 677315145Douala - Cameroon*
*www.ksoft-solutions.com <http://www.ksoft-solutions.com>*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20151218/16f019fb/attachment.html>


More information about the Users mailing list