[strongSwan] farp plugin with two partially overlapping networks

Anton warm at mtele.pro
Fri May 17 10:54:26 CEST 2013


If I understand right  farp has no any configurable parameters ?

Actually there are about 30 offices with 1-5 machines per office. What if configuration will looks like this:

192.168.0.0/22 - network for all offices. 192.168.0.0/24,192.168.2.0/23 is assigned for main office and 192.168.1.0/24
assigned for all other small offices. On main VPN gateway leftsubnet=192.168.0.0/24,192.168.2.0/23 and
rightsubnet=192.168.1.0/29 for first office, rightsubnet=192.168.1.8/29 for second office, rightsubnet=192.168.1.16/29
for third and so on (/24 has 32 subnets of /29 and in real world /29 may be not enough so this is example only).

In this case farp should be running only in main VPN gateway for biggest main office network, am I right ?

I know - I'm reinventing the wheel :-). This is because customer has restriction on his network: flat big L2 net with
Microsoft servers on it, main gateway (not VPN) is made in ISA server, all this configuration is untouchable for us and
sacred, holy and divine piece of ... network :-). We only trying to find some good enough solution to connect small
offices with mine one.


On Fri, 17 May 2013 09:07:49 +0200
Martin Willi <martin at strongswan.org> wrote:

> Hi Anton,
> 
> > (192.168.0.0/22 - main NET1)--[Main VPN gateway]=={internet}==[office VPN gateway]--(192.168.1.0/24 - office NET2)
> 
> > Is it possible to use farp plugin for this task ?
> 
> The farp plugin is actually very simple; it fakes ARP responses to
> itself for any request that:
> 
>       * comes from a "leftsubnet"
>       * asks for an address in "rightsubnet"
> 
> If you tunnel exactly your subnets, i.e.
> 
> 192.168.0.0/22 (main) ==== (office) 192.168.1.0/24
> 
> main will reply to ARP requests from 192.168.0.0/22 targeting
> 192.168.1.0/24, office will reply for requests from 192.168.1.0/24
> targeting 192.168.0.0/22.
> 
> In main this should work fine; however in office you have a serious
> problem: local hosts that would like to find local hosts send ARP
> requests that farp will reply to.
> 
> To fix that, you should try to avoid that overlap in the tunneled
> subnets (which is a good idea anyway). IKEv2 does not allow you to
> "exclude" a subnet, but you can use multiple subnets, something like:
> 
> 192.168.0.0/24,192.168.2.0/23 ==== 192.168.1.0/24
> 
> 
> On all clients in office, you'll have to make sure they issue ARP
> requests for 192.168.0.0/22, i.e. have configured an appropriate subnet
> mask (using DHCP, for example).
> 
> Regards
> Martin
> 


-- 
Anton [WARM-RIPE]
MT NOC division head
tel. 8 (3822) 555-797



More information about the Users mailing list