User Tools

Site Tools


doc:howto:vpn.ipsec.overlappingsubnets

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
doc:howto:vpn.ipsec.overlappingsubnets [2013/01/20 19:11]
birnenschnitzel
doc:howto:vpn.ipsec.overlappingsubnets [2015/08/08 19:11] (current)
someguyandhiscat typo fix
Line 1: Line 1:
 ====== IPsec With Overlapping Subnets ====== ====== IPsec With Overlapping Subnets ======
 +| For an overview over all existing Virtual private network (VPN)-related articles in the OpenWrt wiki, please visit [[doc/​howto/​vpn.overview]] |
 :!: This page is about strongswan. The old racoon documentation can be found [[vpn.ipsec.overlappingsubnets.racoon|here]]. :!: This page is about strongswan. The old racoon documentation can be found [[vpn.ipsec.overlappingsubnets.racoon|here]].
  
Line 9: Line 9:
 So what is it all about. Let us start with a picture and some explanations. What do we have? So what is it all about. Let us start with a picture and some explanations. What do we have?
  
-  * ACME company with internal subnet 10.1.2.0/24 has an existing tunnel to another company with subnet 192.168.2.0/​24. The firewall therefore will route alle packets with destination 192.168.2.1-192.168.254 into the existing tunnel.+  * ACME company with internal subnet 10.1.2.0/24 has an existing tunnel to another company with subnet 192.168.2.0/​24. The firewall therefore will route all packets with destination 192.168.2.1-192.168.2.254 into the existing tunnel.
   * Our OpenWrt user at home has already a IPsec VPN connection too. The OpenWrt firewall protects his network 192.168.2.64/​26 and routes all traffic to 10.1.0.0-10.1.3.254 towards the established tunnel to another company.   * Our OpenWrt user at home has already a IPsec VPN connection too. The OpenWrt firewall protects his network 192.168.2.64/​26 and routes all traffic to 10.1.0.0-10.1.3.254 towards the established tunnel to another company.
   * When establishing a new tunnel between home and ACME without address translation we would run into routing conflicts. E.g. if we want to reach the server 10.1.2.55 from home it could either be a machine in the ACME network or in the others company network.   * When establishing a new tunnel between home and ACME without address translation we would run into routing conflicts. E.g. if we want to reach the server 10.1.2.55 from home it could either be a machine in the ACME network or in the others company network.
Line 21: Line 21:
   * That means each of both sides determines the remote part of the tunnel subnets.   * That means each of both sides determines the remote part of the tunnel subnets.
  
-Let us look at the packet flow and see where address translation has to occur. Let us assume we want to reach ACME mailserver on address 10.1.2.55 from out laptop with address 192.168.2.77.+Let us look at the packet flow and see where address translation has to occur. Let us assume we want to reach ACME mailserver on address 10.1.2.55 from our laptop with address 192.168.2.77.
  
   * We cannot use the mailservers real address but have to choose 10.1.4.55 instead. You can see that the lower part of the IP will match the original address while the higher is taken from the translated subnet.   * We cannot use the mailservers real address but have to choose 10.1.4.55 instead. You can see that the lower part of the IP will match the original address while the higher is taken from the translated subnet.
doc/howto/vpn.ipsec.overlappingsubnets.1358705466.txt.bz2 · Last modified: 2013/01/20 19:11 by birnenschnitzel