[Swan] Duplicate RightSubnets by Varying LeftSubnets?

Thu, 22 Jun 2017 11:39:19 -0700 

Howdy IPsec masters,


We have a solution that drives LibreSWAN IPsec connections from a small set of 
central servers out to our customer's environments. Our customers use a variety 
of IPsec routers (Cisco's, HP's, Juniper's, etc) configured to expose a small 
/29 or /30 subnet of the customer's internal network, which has the target 
system(s) we want to reach.


Currently we require that the subnet exposed by each customer be unique. But 
this is met with resistance, understandably, since many customers use the same 
internal RFC-1918 private address spaces (10.0.0.0/8, 172.[16-31].0.0/16, 
192.168.0.0/16).


Is there a way to create host-to-subnet or subnet-to-subnet IPsec connections 
where the rightsubnets (customer-side) are the same or overlap? It's my 
understanding that connections are indexed by the (leftsubnet, rightsubnet) 
tuple, but when I try this I get "cannot route -- route already in use" errors 
when I bring up the second+ connection of those with duplicate rightsubnets.


We control the leftsubnets and we can manage a pool of these so we assign a 
unique leftsubnet to each customer. The left IP address is fixed, as that's our 
server's public IP; and the customer's right IP is also a given and cannot be 
changed. Most of these connections will be up at the same time.


Example (fixed-width font, apologies to those with proportional font):


     leftsubnet            left           right          rightsubnet      who
   172.16.0.1/32     === 16.16.16.16 ... 99.99.99.99 === 192.168.0.1/30 
cust-00001
   172.16.0.2/32     === 16.16.16.16 ... 12.34.56.78 === 192.168.0.1/30 
cust-00002
   172.16.0.3/32     === 16.16.16.16 ... 77.88.99.11 === 192.168.0.1/30 
cust-00003

   ...
   172.31.255.254/32 === 16.16.16.16 ... 55.66.77.88 === 192.168.0.1/30 
cust-ffffe


In the above, the "left" is the same server, while the right's are all 
different customer routers/networks.


If this isn't the the correct approach, perhaps NAT-games would help?


Thanx all, any help appreciated!

- Steve


_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan

Reply via email to