I'm trying to configure, through OpenSwan on a Linux Ubuntu 14.04
the following scenario.
It's an interesting configuration and it would be great to understand why I'm failing configuring correctly, even because it can help many people resolving this issue (Internet is plenty of questions about it and "half" answers).
SCENARIO
[L-App Server]<=>[L-VPN GW]<====>[R-VPN GW]<=>[NAT]<=>[R-App Server]
[L-VPN GW]
is my VPN Gateway with Public-IP1.1.1.1
and Private-IP10.1.1.1
and is into the Left-Subnet10.0.0.0/8
, even with the[L-App Server]
[R-VPN GW]
is VPN Gateway of other side with Public-IP2.2.2.2
. I have to reach a[R-App Server]
with address10.2.2.2
and Right-Subnet10.0.0.0/8
, connected to aNAT
with address45.2.2.2/32
(not publicly reachable, but only reachable after tunnel instauration).
PROBLEM
As you can see, both Left Subnet
and Right Subnet
are the same. So, when I try to (for example) ping 10.2.2.2
from my L-VPN GW
, requests are not forwarded through the VPN tunnel, but through the LAN.
Also, I cannot see an ipsec0
interface, in such a way I could route
the traffic to 10.2.2.2
through that interface (even if I don't thing it would be a solution, because of the NAT).
QUESTION(s)
- How can I manage a scenario like this with overlapping subnets?
- How can I set a
ipsec0
interface? (I've tried withinterfaces="ipsec=eth0"
but it fails) - In the full scenario, I have more
[R-App Servers]
connected to differentNATs
reachable from the same[R-VPN GW]
DATA
ipsec.conf
right=2.2.2.2
rightid=2.2.2.2
rightsubnet=45.2.2.2/32
rightnexthop=45.2.2.2
# Even without rightnexthop tried
rightsourceip=10.2.2.2
route -n
0.0.0.0 10.0.0.254 0.0.0.0 UG 0 0 0 eth0
10.1.1.1 0.0.0.0 255.255.255.192 U 0 0 0 eth0
45.2.2.2 0.0.0.0 255.255.255.255 UH 0 0 0 eth0
So, as I understand, it would be nice if I had 10.1.1.1
instead of 45.2.2.2
in the routes. I've tried to add it as my rightsubnet
, but ipsec
fails to bring up the tunnel.
If you need some data please comment the question. In the meaning time, thank you very much for your help :)
192.168.0.0
, so my new[R-App Server]
will be192.168.0.2
, how I could manage the fact that the192.168.0.2
must be routed through the VPN? I see announced only theNAT
subnet, so only that route is pushed ... You could save my life with your answer :D. Thank you !