Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 17 Aug 2013 11:42:42 +0100
From:      Frank Leonhardt <freebsd-doc@fjl.co.uk>
To:        Terje Elde <terje@elde.net>
Cc:        "freebsd-questions@freebsd.org" <freebsd-questions@freebsd.org>
Subject:   Re: VPN where local private address collide
Message-ID:  <520F53A2.80707@fjl.co.uk>
In-Reply-To: <9FB6809B-DD5D-4A04-8BD9-0271FAC03181@elde.net>
References:  <520E5EC0.5090105@fjl.co.uk> <9FB6809B-DD5D-4A04-8BD9-0271FAC03181@elde.net>

next in thread | previous in thread | raw e-mail | index | archive | help
On 16/08/2013 20:30, Terje Elde wrote:
> On 16. aug. 2013, at 19:17, Frank Leonhardt <freebsd-doc@fjl.co.uk> wrote:
>> Has anyone actually done this, and if so, how?
> This is wrong on so many levels, and you'll have to work around all og them. Yes, you can use nat, but what about adress-resolution? And so on.
>
> If it's a specific thing you need to work - a spesific server for example - nat can work, but if you need general bridging, best to avoid conflicts.
>
> Note that there are alternatives, such as L2-bridging rather than L3.
>
> If you explain a bit more of the setup, and what you need to work, it'd be easier to suggest something.
>
> Right now, we know bits of the setup, but not really what problem(s) you're trying to solve.
>
>

The setup is basically as described and the desired outcome is to NAT 
"the other end" so the addresses appear different. FWIW it only has to 
be done one way, which I didn't mention. Address resolution is not a 
problem - easily fixed at DNS. As I said, the only thing that cannot be 
changed are the local IP addresses in use, so thanks for heeding my 
warning. Lesser mortals might have change the ranges anyway. Yes, its 
obviously best to avoid conflicts but if you're bigger than Fred-in-shed 
you're going to get them.

What I'm asking (VPN NAT) is possible, and a recognised solution to the 
problem I've described - the big boys do it all the time, apparently. My 
local Cisco expert was able to talk me through doing it, but only on IOS 
:-( Basically you put the VPN traffic through a NAT table on both ends, 
so all the remote addresses get mapped to an alternative local range. 
You pretty much have to do it both ways (source and destination) or you 
won't get a reply.

I can think of dozens of workaround for specific situations (e.g. it it 
was to access a limited number of hosts, dual-home the ones you need) 
but this is specially a general solution.

I'm sure this is going to be a PITA to work out on FreeBSD, because I'm 
not that familiar with the tools. I was hoping someone had done it, but 
if I have to.... I may be gone for some time.





Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?520F53A2.80707>