[strongSwan] farp plugin with two partially overlapping networks

Martin Willi martin at strongswan.org
Fri May 17 09:07:49 CEST 2013


Hi Anton,

> (192.168.0.0/22 - main NET1)--[Main VPN gateway]=={internet}==[office VPN gateway]--(192.168.1.0/24 - office NET2)

> Is it possible to use farp plugin for this task ?

The farp plugin is actually very simple; it fakes ARP responses to
itself for any request that:

      * comes from a "leftsubnet"
      * asks for an address in "rightsubnet"

If you tunnel exactly your subnets, i.e.

192.168.0.0/22 (main) ==== (office) 192.168.1.0/24

main will reply to ARP requests from 192.168.0.0/22 targeting
192.168.1.0/24, office will reply for requests from 192.168.1.0/24
targeting 192.168.0.0/22.

In main this should work fine; however in office you have a serious
problem: local hosts that would like to find local hosts send ARP
requests that farp will reply to.

To fix that, you should try to avoid that overlap in the tunneled
subnets (which is a good idea anyway). IKEv2 does not allow you to
"exclude" a subnet, but you can use multiple subnets, something like:

192.168.0.0/24,192.168.2.0/23 ==== 192.168.1.0/24


On all clients in office, you'll have to make sure they issue ARP
requests for 192.168.0.0/22, i.e. have configured an appropriate subnet
mask (using DHCP, for example).

Regards
Martin





More information about the Users mailing list