IPSEC VPN ISAKMPD Conflicting Address Ranges

I really hope an IPSEC guru can enlighten me on the following..

Using:

Linux Kernel 2.6.4 using kernel level ipsec
ISAKMPD as the IKE daemon
Small office routers running on NET A & B


Topology as follows:


Network A Network B
192.168.0.0/24 192.168.0.0/24
--- ---
router with public IP router with public IP
--- ---
| |
| |
| |
| dA' NET |
-----------------------------------------
|
|
|
---
router with public IP
---
|
Network C
10.0.0.0/25


Situation.

The router on network C is running linux kernel 2.6.4 with ipsec and
ISAKMPD for IKE. This box is used as a VPN concentrator. The problem,
illustrated in the diagram is fairly apparent - Both networks A and B
have the same address range, and for reasons beyond my control I
cannot re-number either. Both tunnels also need to be on
simultaneously. I have googled till exaustion with no return. The
closest I get to an example is a double NAT solution, that doesn't
really map across. I was thinking that a solution could be to
translate the Network A and B subnets to unique networks. using
POSTROUTING and PREROUTING iptable chains. The problem is that ipsec
on 2.6 does create user level interfaces (I can't see them) so I can't
use iptables to translate and then route via the ipsec interface.

2.6 seems to attach the tunnel directly to the machine, which you then
bind to any local interface.

I'm all out of ideas. HELP!!!


Any comments suggestions or alternatives solutions welcome....
Thanks

Jansen

On 2004-04-26, Jansen <(E-Mail Removed)> wrote:
>
> Situation.
>
> The router on network C is running linux kernel 2.6.4 with ipsec and
> ISAKMPD for IKE. This box is used as a VPN concentrator. The problem,
> illustrated in the diagram is fairly apparent - Both networks A and B
> have the same address range, and for reasons beyond my control I
> cannot re-number either. Both tunnels also need to be on
> simultaneously. I have googled till exaustion with no return. The
> closest I get to an example is a double NAT solution, that doesn't
> really map across. I was thinking that a solution could be to
> translate the Network A and B subnets to unique networks. using
> POSTROUTING and PREROUTING iptable chains. The problem is that ipsec
> on 2.6 does create user level interfaces (I can't see them) so I can't
> use iptables to translate and then route via the ipsec interface.
>
> 2.6 seems to attach the tunnel directly to the machine, which you then
> bind to any local interface.
>
> I'm all out of ideas. HELP!!!
>
hmmm sounds fun. I am shocked that the remote admins refuse to change the IP
addresses to solve the problem. What I would recommend you do is NAT
(ipmasq) at the remote offices if traffic needs to arrive at one of the other
networks. You would get access to all the machines however to the 'server'
the connections would only ever come from the remote gateway.

The alternative is SNAT everyone on the 192.168.x.y regions to a 10.x.y.z
region; so everyone is effectively then mapped to 10.x.y.z. However this is
probably your double NAT solution you mentioned.

An alternative, although they might be in the same range, are they actually
overlapping ip addresses present (ie. two machines on different sites have
the same IP address)? If not then if everything say at the first side is in
192.168.0.0->127 and the second one 192,168.0.128->255 then you can use the
subnet mask 255.255.255.128 (or /25); of course adapt the subnet mask to suit
your needs.

I would highly recommend you still 'press' for an IP address rearrangement.
You probably will need to at some time in the future before things get out
of hand.

Keep in touch, I would be interested to see how this goes.....

Cheers

Alex

[ newsgroups / followup-to trimmed, OP cc'ed ]

In comp.dcom.vpn Jansen <(E-Mail Removed)> wrote:

> The router on network C is running linux kernel 2.6.4 with ipsec and
> ISAKMPD for IKE. This box is used as a VPN concentrator. The problem,
> illustrated in the diagram is fairly apparent - Both networks A and B
> have the same address range, and for reasons beyond my control I
> cannot re-number either. Both tunnels also need to be on

You need to renumber one of them. Some commercial VPN routers have provisions
for doing this but they are hackish at best. Really, it'll be much easier
on you if you can convince one or the other of them to renumber.

--
Eric Sorenson - Systems / Network Administrator, MIS - Transmeta Corporation

Jansen wrote:

> I really hope an IPSEC guru can enlighten me on the following..
>
> Using:
>
> Linux Kernel 2.6.4 using kernel level ipsec
> ISAKMPD as the IKE daemon
> Small office routers running on NET A & B
>
>
> Topology as follows:
>
>
> Network A Network B
> 192.168.0.0/24 192.168.0.0/24
> --- ---
> router with public IP router with public IP
> --- ---
> | |
> | |
> | |
> | dA' NET |
> -----------------------------------------
> |
> |
> |
> ---
> router with public IP
> ---
> |
> Network C
> 10.0.0.0/25
>
>
> Situation.
>
> The router on network C is running linux kernel 2.6.4 with ipsec and
> ISAKMPD for IKE. This box is used as a VPN concentrator. The problem,
> illustrated in the diagram is fairly apparent - Both networks A and B
> have the same address range, and for reasons beyond my control I
> cannot re-number either. Both tunnels also need to be on
> simultaneously. I have googled till exaustion with no return. The
> closest I get to an example is a double NAT solution, that doesn't
> really map across. I was thinking that a solution could be to
> translate the Network A and B subnets to unique networks. using
> POSTROUTING and PREROUTING iptable chains. The problem is that ipsec
> on 2.6 does create user level interfaces (I can't see them) so I can't
> use iptables to translate and then route via the ipsec interface.
>
> 2.6 seems to attach the tunnel directly to the machine, which you then
> bind to any local interface.
>
> I'm all out of ideas. HELP!!!
>
>
> Any comments suggestions or alternatives solutions welcome....
> Thanks
>
> Jansen

unless netA and B are underused enough to have unique host on each segment,
ie: 192.168.0.51 only on netA, in which case you can assign static routes
on the netC router, I believe your going to have to nat netA or B at the
respective gateway.

put a case together on time and maintenance to make this work, you just
might make the 'reasons beyond my control' to be insignificant compared to
the benefit.

-riddler