Virtual IP Subnet for VPN



  • Hello,

    Been doing a bunch of googling and I've stumbled across this forum.

    I'm here in regards to a ServerFault question I have posted. http://serverfault.com/questions/681031/virtual-ip-pool-for-nat-with-strongswan-vpn

    Basically I'm trying to come up with a way to setup a VPN tunnel to remote sites that may potentially have the same subnet as my main site. The remote sites are unable to do any NATing on their end so all configuration will fall on the main site.

    I've been learning about StrongSwan recently and was hoping to use that but the more I read on this issue, I'm finding it may not be possible to accomplish with StrongSwan.

    I think, and please correct if I'm wrong, the standard solution to this problem is to create a virtual subnet at my local gateway and map the remote subnet into that virtual subnet. With my current configuration I'm only able to get the remote gateway itself to map into the virtual subnet.

    Would openVPN be a better solution to this problem? If so, any hints in the right direction would be greatly appreciated?


  • LAYER 8 Netgate

    I was going to post that this is impossible without NAT at both ends but I was thinking about it on the way home.  Since, with OpenVPN, you really have two discrete routing tables (routes and iroutes) I thought it might be possible.  Turns out it looks like I was half right.

    Refer to the diagram in my sig.  I am able to allow Host B2 to connect to Host A2 using nothing but the OpenVPN config and 1:1 NAT on pfSense A.  Connections from Host A2 to Host B2, however, are reflected back to Host A2 (or pfSense A OPT1, actually).

    Here's what I did:

    Modified the OpenVPN server config for OVPNS1:

    IPv4 Local Network/s: 172.26.0.0/24,192.168.100.0/24
    IPv4 Remote Network/s: 172.26.2.0/24, 192.168.101.0/24

    Then I made a client specific override

    Common name: pfsenseb.example.com
    Advanced: iroute 192.168.1.0 255.255.255.0

    Then I created two 1:1 NAT entries on pfSense A

    Interface: OPT1
    External subnet IP: 192.168.101.0
    Internal IP: Network: 192.168.1.0/24

    and

    Interface: OVPNS1
    External subnet IP: 192.168.100.0
    Internal IP: OPT1 net

    Connections from Host B2 to 192.168.100.100 hit Host A2.  Host B2 appears to Host A2 as 192.168.101.100.

    Connections from Host A2 to 192.168.101.100 are reflected back to Host A2, but the source IP of the connection appears as 192.168.101.100.



  • I don't have any experience with OpenVPN specifically, but it looks like you are able to accomplish this because you have access to the specific interfaces attached to the VPN tunnel.

    In your example diagram, is OpenVPN traffic passed over the same interface as your WAN traffic or different one entirely?

    I would prefer to keep using IPSec as StrongSwan is free, but of course that includes the requirement that this is possible.


  • LAYER 8 Netgate

    Yes.  It's just on the WANs 172.27.0.5/9.

    Search for "OpenVPN assigned interfaces" to see what you need to do to get a pfSense interface assigned to an OpenVPN instance.  Without doing that you can't NAT on it.

    I don't think any of this is possible in pfSense on IPsec.  All the phase 2 entries put routes in the system routing tables I think so there's no way to distinguish two subnets that are the same.

    The best thing to do is renumber something.


Log in to reply