[strongSwan] Overlaping IP addresses
noel at familie-kuntze.de
Tue Dec 2 20:05:07 CET 2014
-----BEGIN PGP SIGNED MESSAGE-----
You can use MARKS to have several tunnels with the shared networks. You then choose the
tunnel you want by setting the FWMARK value using the MARK target.
See  for information.
Regarding your second question, strongSwan doesn't use the IP to distinguish clients, Actually, it doesn't
care. You can have as many IKE SAs and IPsec SAs open between different IPs as you want. The only limitation
to that is, that you don't have the same subnets between different tunnels.
A problem might be though, that the IPsec forwarding implementation on some routers is broken, because they don't
change the source port. That means, that if you have two clients behind the same NAT router connecting to the same IPsec
peer over said NAT, the NAT gateway can't distinguish the packets for the different clients from one another, as the
source port, destination port, sender IP and recipient IP are all the same for the IPsec traffic, when it arrives on the WAN
interface of the router, causing all the traffic to be forwarded to the client that had the NAT mapping first.
Mit freundlichen Grüßen/Regards,
GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 02.12.2014 um 14:44 schrieb Michael Schwartzkopff:
> We have a problem setting up VPNs and I wanted to know if StrongS/WAN can help
> us. Mainly we deal with overlapping IP addresse. This can happen in two cases:
> 1) Two customers use the same RFC1918 network internally. So it might happen
> that two boxes at customers get the same IP address. Does StrongS/WAN provide
> a solution for this problem? Can StrongS/WAN distwinguish between both
> clients? If yes, how?
> 2) A customer has two of our boxes in his network. Our VPN server only sees
> the extnal IP address of the NAT box, which is identical for both VPN clients
> internally. Can StrongS/WAN distuingish between both boxes? If yes, how?
> Thanks for any hints.
> Mit freundlichen Grüßen,
> Michael Schwartzkopff
> Users mailing list
> Users at lists.strongswan.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
-----END PGP SIGNATURE-----
More information about the Users