Hi Marwan, >> How does it do that? Do you mean it allocates addresses from >> 10.0.0.0/24 to those clients? (Without the server being aware of that, >> which is not a good idea.) Or does it NAT traffic from these devices to >> the IP address it received from the VPN server? > > The idea is that the client has its connection configured with e.g. > “leftsubnet=192.168.1.0/24” and each device located on the > 192.168.1.0/24 subnet allocates a virtual IP address from 10.0.0.0/24.
Then you definitely don't need virtual IPs managed by the VPN server. Just use that leftsubnet configuration (and rightsubnet set accordingly on the server) and get rid of left|rightsourceip. >> So why not use distinct subnets? Reaching these devices from other >> hosts (e.g. behind the VPN server, or the server itself) could be tricky >> if they have the same IP addresses assigned. And depending on the >> traffic selector on the server's side and whether you use marks this >> will actually result in duplicate IPsec policies, which won't work. > > Many of our customers that are setting up these "clients" are already > connected to a VPN when they wish to connect to the devices. To avoid > conflicts, we thought the customer could select the virtual subnet. If > it is possible to set up duplicate subnets, there is no need to check if > a certain subnet is available for the customer to use. OK, then you'll definitely want to use marks etc. to properly handle duplicate subnets. >> And are you sure this would be easier with a site-to-site setup instead >> of using virtual IP pools in the first place? The IP addresses used on >> the client end could still be "virtual IPs", i.e. only usable inside the >> VPN, but they wouldn't be assigned by the server (to use duplicate >> subnets is still tricky, though). > > Yeah, any setup will do as long as we can duplicate the subnets. I was > hoping that it could be done as I read in the Virtual IP wiki that it > might have been possible before: “previously each connection would use > it's own copy and the same virtual IP may have been handed out to > different clients”. But that's not your use case. The devices behind each client won't request virtual IPs from the VPN server, so these pools are irrelevant. Regards, Tobias
