0

I'm trying to configure, through OpenSwan on a Linux Ubuntu 14.04 the following scenario.
It's an interesting configuration and it would be great to understand why I'm failing configuring correctly, even because it can help many people resolving this issue (Internet is plenty of questions about it and "half" answers).

SCENARIO

[L-App Server]<=>[L-VPN GW]<====>[R-VPN GW]<=>[NAT]<=>[R-App Server] 
  • [L-VPN GW] is my VPN Gateway with Public-IP 1.1.1.1 and Private-IP 10.1.1.1 and is into the Left-Subnet 10.0.0.0/8, even with the [L-App Server]
  • [R-VPN GW] is VPN Gateway of other side with Public-IP 2.2.2.2. I have to reach a [R-App Server] with address 10.2.2.2 and Right-Subnet 10.0.0.0/8, connected to a NAT with address 45.2.2.2/32 (not publicly reachable, but only reachable after tunnel instauration).

PROBLEM
As you can see, both Left Subnet and Right Subnet are the same. So, when I try to (for example) ping 10.2.2.2 from my L-VPN GW, requests are not forwarded through the VPN tunnel, but through the LAN.
Also, I cannot see an ipsec0 interface, in such a way I could route the traffic to 10.2.2.2 through that interface (even if I don't thing it would be a solution, because of the NAT).

QUESTION(s)

  • How can I manage a scenario like this with overlapping subnets?
  • How can I set a ipsec0 interface? (I've tried with interfaces="ipsec=eth0" but it fails)
  • In the full scenario, I have more [R-App Servers] connected to different NATs reachable from the same [R-VPN GW]

DATA
ipsec.conf

right=2.2.2.2
rightid=2.2.2.2
rightsubnet=45.2.2.2/32
rightnexthop=45.2.2.2
# Even without rightnexthop tried
rightsourceip=10.2.2.2

route -n

0.0.0.0         10.0.0.254      0.0.0.0         UG    0      0        0 eth0
10.1.1.1        0.0.0.0         255.255.255.192 U     0      0        0 eth0
45.2.2.2        0.0.0.0         255.255.255.255 UH    0      0        0 eth0

So, as I understand, it would be nice if I had 10.1.1.1 instead of 45.2.2.2 in the routes. I've tried to add it as my rightsubnet, but ipsec fails to bring up the tunnel.

If you need some data please comment the question. In the meaning time, thank you very much for your help :)

2
  • 1
    You need to re-number one side.
    – EEAA
    Commented Jan 3, 2017 at 15:12
  • @EEAA thanks for your answer. Even if I re-number one side (let's say 192.168.0.0, so my new [R-App Server] will be 192.168.0.2, how I could manage the fact that the 192.168.0.2 must be routed through the VPN? I see announced only the NAT subnet, so only that route is pushed ... You could save my life with your answer :D. Thank you !
    – Echoes_86
    Commented Jan 3, 2017 at 15:16

0

You must log in to answer this question.

Browse other questions tagged .