[Openswan Users] openswan with overlapping subnets

Nick Howitt nick at howitts.co.uk
Fri Dec 18 07:27:02 EST 2015 

How about setting up a passthrough conn for the 10.180.11.0/24 subnet 
which would exclude internal traffic from going through the VPN. Have a 
look at the subnet extrusion document on the Libreswan site: 
https://libreswan.org/wiki/Subnet_extrusion

Nick

On 2015-12-18 08:28, david coleman wrote:
> Thanks for reply
> However I have seen that kind of advise before but I need more detail.
> 
> 
> I have openswan on a aws Linux box with public ip. So do I set up Nat
> in that same box and then I use ip tables for the Nat? Or do I set up
> a new server ? If a new server does it need to be in the same subnet
> or maybe it needs two ip addresses?
> 
> Openswan is in the same subnet as my real servers
> 
> When I read the (many) posts about Nat with ip tables there was no
> example with IPSec traffic apart from some people saying they could
> not get it to work
> 
> If you have any links on actual examples of the Nat with
> openswan/IPSec that would be great
> 
> Thanks
> Dave
> 
>  Sent from my iPhone
> 
>  On 17 Dec 2015, at 23:54, Daniel Cave <dan.cave at me.com> wrote:
> 
>> Nat ( network address translation) everything coming out of your
>> network to something they're not using , like to 172.18.101.1 and
>> set that to be your client lan VPN gw
>> 
>> Sent from my iPhone
>> 
>> On 17 Dec 2015, at 19:51, david coleman
>> <david.coleman at promenta.com> wrote:
>> 
>>> Hello - I have a common problem but I have spent a few hours
>>> researching and cannot find the definitive answer.
>>> 
>>> We are setting up a vpn (site-to-site) to a customer (juniper
>>> firewall). We have found that their subnet and our subnet are
>>> overlapping.
>>> 
>>> So our subnet is on 10.180.11.0/24 and theirs is 10.180.0.0/16
>>> 
>>> We have set up site-to-site vpns using openswan before with
>>> success but not with this scenario.
>>> 
>>> Can we setup the system so that some kind of routing using
>>> iptables will make our side look like something that does not
>>> overlap like 10.220.11.0/24?
>>> 
>>> I mean we would leave our internal network alone but put something
>>> in openswan/iptables that "translates" or converts how the other
>>> side sees our ip address
>>> 
>>> Diagram:
>>> 
>>> Their side (10.180.0.0/16) à Their VPN Firewall (public ip) à
>>> Internet à our openswan (public) [viewed as 10.220.11.0/24] à
>>> some magic fix to map 10.220.11.0/24 to our "real network" of
>>> 10.180.11.0/24 à our real servers
>>> 
>>> We actually only have 3 servers to be accessed in our network so
>>> if we need to do some setup for each individual ip that is fine
>>> 
>>> Thanks dave
>> 
>>> _______________________________________________
>>> Users at lists.openswan.org
>>> https://lists.openswan.org/mailman/listinfo/users [1]
>>> Micropayments:
>>> https://flattr.com/thing/38387/IPsec-for-Linux-made-easy [2]
>>> Building and Integrating Virtual Private Networks with Openswan:
>>> 
>> 
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>>> [3]
> 
> 
> Links:
> ------
> [1] https://lists.openswan.org/mailman/listinfo/users
> [2] https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> [3] 
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
> 
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

More information about the Users mailing list