On 8 June 2017 at 13:03, Eric Curtin <[email protected]> wrote: > On 7 June 2017 at 23:08, Paul Wouters <[email protected]> wrote: >> On Wed, 7 Jun 2017, Eric Curtin wrote: >> >>> I need to connect to multiple clients behind multiple routers from a >>> centos/rhel 6 machine. There are clashing 192.168.0.100, 192.168.0.101 >>> addresses... How can I solve this so that I can connect to multiple >>> 192.168.0.100's? I cannot alter the remote private IP addresses. >>> >>> Just wondering, what are my options in this scenario? >> >> >> I'm unsure what your goal is. If your goal is to connect laptops and >> phones to your remote network and currently your problem is they are >> all behind NAT on conflicting/overlapping RFC1918 space, the solution >> is to give those devices an IP from your pool, using either IKEv2 CP >> or IKEv1 XAUTH. >> >> https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv2 >> https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv1_XAUTH_with_Certificates >> https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv1_XAUTH_with_PSK >> >> If you are trying to connect subnets which use overlapping RFC1918 >> ranges together, you have a much harder task. An IP can really only >> live in 1 place, and you'd have to do a lot of NAT+IPsec to tweak >> it, and you'd end up using hardcoded IPs or weird modified DNS. You >> might need something like: >> >> https://libreswan.org/wiki/Subnet_to_subnet_using_NAT >> >> Paul > > +----------------------------+ > | | > | Windows | > | | > | | +------------+ > | | | | > +---------------------+ | | | > +-------+ +-------------+ > | | | | +-------------------+ > Cisco +-------------------+ Some client | > | | | | | > +-------+ +-------------+ > | CentOS6 (bridged) | | | Corporate | > | +-----------+ Network | > 10.37.177.3 192.168.1.1 192.168.1.104 > | running libreswan | | | | > | | | | | > +-------+ +-------------+ > | | | | > +-------------------+Juniper+-------------------+ Some client | > +---------------------+ | | | > +-------+ +-------------+ > | | | | > | | +------------+ > 10.37.177.4 192.168.1.1 192.168.1.104 > | | > | | > | | > +----------------------------+ > > 16.248.10.231 > > > That diagram should display properly if you use a monospace font to view this. > > By the sounds of it, I am stuck with option two that you are referring > to, I would use a configuration like follows to connect to the cisco > based client: > > conn cisco > type=tunnel > left=16.248.10.231 > leftsubnet=16.248.10.231/32 > leftsourceip=16.248.10.231 > right=10.37.177.3 > rightsubnet=192.168.1.104/32 > rightsourceip=10.37.177.3 > authby=secret > retransmit-timeout=16s > ike=aes256-sha1;modp1536 > phase2alg=aes256-sha1;modp1536 > > But cannot connect to 192.168.1.104 behind the Juniper router at the > same time, using a similar configuration. Client IP addresses are out > of my control.
gmail butchered that diagram: https://gist.github.com/ericcurtin/18abd507c0a391ba1089742bcd4cc37c forgot to cc the mailing list _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
