[strongSwan] Overlaping IP addresses
Noel Kuntze
noel at familie-kuntze.de
Tue Dec 2 20:05:07 CET 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hello Michael,
You can use MARKS to have several tunnels with the shared networks. You then choose the
tunnel you want by setting the FWMARK value using the MARK target.
See [1] for information.
Regarding your second question, strongSwan doesn't use the IP to distinguish clients, Actually, it doesn't
care. You can have as many IKE SAs and IPsec SAs open between different IPs as you want. The only limitation
to that is, that you don't have the same subnets between different tunnels.
A problem might be though, that the IPsec forwarding implementation on some routers is broken, because they don't
change the source port. That means, that if you have two clients behind the same NAT router connecting to the same IPsec
peer over said NAT, the NAT gateway can't distinguish the packets for the different clients from one another, as the
source port, destination port, sender IP and recipient IP are all the same for the IPsec traffic, when it arrives on the WAN
interface of the router, causing all the traffic to be forwarded to the client that had the NAT mapping first.
[1] https://lists.strongswan.org/pipermail/users/2014-November/006942.html
Mit freundlichen Grüßen/Regards,
Noel Kuntze
GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 02.12.2014 um 14:44 schrieb Michael Schwartzkopff:
> Hi,
>
> We have a problem setting up VPNs and I wanted to know if StrongS/WAN can help
> us. Mainly we deal with overlapping IP addresse. This can happen in two cases:
>
> 1) Two customers use the same RFC1918 network internally. So it might happen
> that two boxes at customers get the same IP address. Does StrongS/WAN provide
> a solution for this problem? Can StrongS/WAN distwinguish between both
> clients? If yes, how?
>
> 2) A customer has two of our boxes in his network. Our VPN server only sees
> the extnal IP address of the NAT box, which is identical for both VPN clients
> internally. Can StrongS/WAN distuingish between both boxes? If yes, how?
>
> Thanks for any hints.
>
>
> Mit freundlichen Grüßen,
>
> Michael Schwartzkopff
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJUfg1fAAoJEDg5KY9j7GZYxU0P/3ZU5f9BIS0vEHJVvbyibHvR
PZOFWgsGh+ShvsJR4IGylgVlEDdEURYtRue/ml9+hlyaSgTh8JyQao5YFvBTNyb2
ZvSQTLcamFCc5PwNuYI8by99Rgcn0tUKEWeAf7q7qNSsX0THXRQ122TAtQxIrvFr
NjjTbTEl23biHNqCJUELP8xVSHVOvOXAe0+HsIDXoz0e1UEQQ1JQKsXZXV3qLu6j
XNyVY+hZrM7uSHD6OFtM/hdK7ksqG/eR1UgKz7cQHbMTSGUNChTx6fFNRfisLb1w
GP/SDEHnSwSCMaEqVMNNGYC32zpdb7pqrwMTnFZwN3XLcXqrW2VPospv+XH7FknV
qrzsxOM2VuAvIOV2JJCaZyWfyo1TwH0zLMB0eWVslpuuYI2os0EQhKB8Ev76v8sM
ULjrhYofct9r00kpqg+w40rJ/R1E0A0mq7+6OyXe6mKKaQlfro+TLlN9fSEN9vbl
Z5ggVlBYdGlQnsg79wiXOWqc61TGi8u618hP5zOl6mO0GlAWs9qEuqSgXYgxGuVI
fVDKdeVX34OYLi352XZ2zHC56atQUIIxjqBgN03zhJKDzK6K5obkLgIVHow1qpbJ
eYjSj5CZsQOWxlydrHsw4q14TTthQcH/c7n4jaWdDXfQfHJ+K6UQ3QAx9WfK8BI3
92CwK1Lh/RFEYnfllUp4
=mvy4
-----END PGP SIGNATURE-----
More information about the Users
mailing list