Date: Sat, 17 Aug 2013 11:42:42 +0100 From: Frank Leonhardt <freebsd-doc@fjl.co.uk> To: Terje Elde <terje@elde.net> Cc: "freebsd-questions@freebsd.org" <freebsd-questions@freebsd.org> Subject: Re: VPN where local private address collide Message-ID: <520F53A2.80707@fjl.co.uk> In-Reply-To: <9FB6809B-DD5D-4A04-8BD9-0271FAC03181@elde.net> References: <520E5EC0.5090105@fjl.co.uk> <9FB6809B-DD5D-4A04-8BD9-0271FAC03181@elde.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On 16/08/2013 20:30, Terje Elde wrote: > On 16. aug. 2013, at 19:17, Frank Leonhardt <freebsd-doc@fjl.co.uk> wrote: >> Has anyone actually done this, and if so, how? > This is wrong on so many levels, and you'll have to work around all og them. Yes, you can use nat, but what about adress-resolution? And so on. > > If it's a specific thing you need to work - a spesific server for example - nat can work, but if you need general bridging, best to avoid conflicts. > > Note that there are alternatives, such as L2-bridging rather than L3. > > If you explain a bit more of the setup, and what you need to work, it'd be easier to suggest something. > > Right now, we know bits of the setup, but not really what problem(s) you're trying to solve. > > The setup is basically as described and the desired outcome is to NAT "the other end" so the addresses appear different. FWIW it only has to be done one way, which I didn't mention. Address resolution is not a problem - easily fixed at DNS. As I said, the only thing that cannot be changed are the local IP addresses in use, so thanks for heeding my warning. Lesser mortals might have change the ranges anyway. Yes, its obviously best to avoid conflicts but if you're bigger than Fred-in-shed you're going to get them. What I'm asking (VPN NAT) is possible, and a recognised solution to the problem I've described - the big boys do it all the time, apparently. My local Cisco expert was able to talk me through doing it, but only on IOS :-( Basically you put the VPN traffic through a NAT table on both ends, so all the remote addresses get mapped to an alternative local range. You pretty much have to do it both ways (source and destination) or you won't get a reply. I can think of dozens of workaround for specific situations (e.g. it it was to access a limited number of hosts, dual-home the ones you need) but this is specially a general solution. I'm sure this is going to be a PITA to work out on FreeBSD, because I'm not that familiar with the tools. I was hoping someone had done it, but if I have to.... I may be gone for some time.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?520F53A2.80707>