Tom's Hardware > Forum > General Networking > Firewall > IPSEC VPN ISAKMPD Conflicting Address Ranges

IPSEC VPN ISAKMPD Conflicting Address Ranges

Forum General Networking : Firewall - IPSEC VPN ISAKMPD Conflicting Address Ranges

Tom's Hardware: Over 1.4 million members in 6 different countries available to answer all your high-tech questions. Sign up now! Its free!
Ask the community Add a reply
Word :    Username :           
 
jansen   04-26-2004 at 06:52:42 PM

Archived from groups: comp.unix.bsd.openbsd.misc,comp.os.linux.networking,mailing.openbsd.tech,comp.security.firewalls,comp.dcom.vpn (More info?)

 

I really hope an IPSEC guru can enlighten me on the following..

Using:

Linux Kernel 2.6.4 using kernel level ipsec
ISAKMPD as the IKE daemon
Small office routers running on NET A & B


Topology as follows:


Network A Network B
192.168.0.0/24 192.168.0.0/24
--- ---
router with public IP router with public IP
--- ---
| |
| |
| |
| dA' NET |
-----------------------------------------
|
|
|
---
router with public IP
---
|
Network C
10.0.0.0/25


Situation.

The router on network C is running linux kernel 2.6.4 with ipsec and
ISAKMPD for IKE. This box is used as a VPN concentrator. The problem,
illustrated in the diagram is fairly apparent - Both networks A and B
have the same address range, and for reasons beyond my control I
cannot re-number either. Both tunnels also need to be on
simultaneously. I have googled till exaustion with no return. The
closest I get to an example is a double NAT solution, that doesn't
really map across. I was thinking that a solution could be to
translate the Network A and B subnets to unique networks. using
POSTROUTING and PREROUTING iptable chains. The problem is that ipsec
on 2.6 does create user level interfaces (I can't see them) so I can't
use iptables to translate and then route via the ipsec interface.

2.6 seems to attach the tunnel directly to the machine, which you then
bind to any local interface.

I'm all out of ideas. HELP!!!


Any comments suggestions or alternatives solutions welcome....
Thanks

Jansen

Add a reply
Sponsored Links
Register or log in to remove.
Anonymous   05-04-2004 at 04:05:19 PM
- 0 +

Archived from groups: comp.unix.bsd.openbsd.misc,comp.os.linux.networking,mailing.openbsd.tech,comp.security.firewalls,comp.dcom.vpn (More info?)

 

Jansen wrote:

> I really hope an IPSEC guru can enlighten me on the following..
>
> Using:
>
> Linux Kernel 2.6.4 using kernel level ipsec
> ISAKMPD as the IKE daemon
> Small office routers running on NET A & B
>
>
> Topology as follows:
>
>
> Network A Network B
> 192.168.0.0/24 192.168.0.0/24
> --- ---
> router with public IP router with public IP
> --- ---
> | |
> | |
> | |
> | dA' NET |
> -----------------------------------------
> |
> |
> |
> ---
> router with public IP
> ---
> |
> Network C
> 10.0.0.0/25
>
>
> Situation.
>
> The router on network C is running linux kernel 2.6.4 with ipsec and
> ISAKMPD for IKE. This box is used as a VPN concentrator. The problem,
> illustrated in the diagram is fairly apparent - Both networks A and B
> have the same address range, and for reasons beyond my control I
> cannot re-number either. Both tunnels also need to be on
> simultaneously. I have googled till exaustion with no return. The
> closest I get to an example is a double NAT solution, that doesn't
> really map across. I was thinking that a solution could be to
> translate the Network A and B subnets to unique networks. using
> POSTROUTING and PREROUTING iptable chains. The problem is that ipsec
> on 2.6 does create user level interfaces (I can't see them) so I can't
> use iptables to translate and then route via the ipsec interface.
>
> 2.6 seems to attach the tunnel directly to the machine, which you then
> bind to any local interface.
>
> I'm all out of ideas. HELP!!!
>
>
> Any comments suggestions or alternatives solutions welcome....
> Thanks
>
> Jansen

unless netA and B are underused enough to have unique host on each segment,
ie: 192.168.0.51 only on netA, in which case you can assign static routes
on the netC router, I believe your going to have to nat netA or B at the
respective gateway.

put a case together on time and maintenance to make this work, you just
might make the 'reasons beyond my control' to be insignificant compared to
the benefit.

-riddler

Reply to Anonymous
Anonymous   05-01-2004 at 06:17:16 AM
- 0 +

Archived from groups: comp.os.linux.networking,comp.dcom.vpn (More info?)

 

[ newsgroups / followup-to trimmed, OP cc'ed ]

In comp.dcom.vpn Jansen <jreyes@wirespeedit.com> wrote:

> The router on network C is running linux kernel 2.6.4 with ipsec and
> ISAKMPD for IKE. This box is used as a VPN concentrator. The problem,
> illustrated in the diagram is fairly apparent - Both networks A and B
> have the same address range, and for reasons beyond my control I
> cannot re-number either. Both tunnels also need to be on

You need to renumber one of them. Some commercial VPN routers have provisions
for doing this but they are hackish at best. Really, it'll be much easier
on you if you can convince one or the other of them to renumber.

--
Eric Sorenson - Systems / Network Administrator, MIS - Transmeta Corporation

Reply to Anonymous
Ask the community Add a reply
Tom's Hardware > Forum > General Networking > Firewall > IPSEC VPN ISAKMPD Conflicting Address Ranges
Go to:

There are 710 identified and unidentified users. To see the list of identified users, Click here.

Forum map
Bestofmedia Forum ©
2000-2009 Bestofmedia Group
Page generated in 0.292 seconds
Please mind

You are about to answer a thread that has been inactive for more than 6 months.
If you still wish to proceed, please ensure that your posting is original and does not duplicate or overlap any prior responses to this thread.

Add a reply Cancel
Sponsored links
  • Ask the community now
  • Publish
Ad
Related Topics
See all relatives topics
They won a badge
Join us in greeting them
How do I win badges?