I really hope an IPSEC guru can enlighten me on the following..

Using:

Linux Kernel 2.6.4 using kernel level ipsec
ISAKMPD as the IKE daemon
Small office routers running on NET A & B


Topology as follows:


Network A Network B
192.168.0.0/24 192.168.0.0/24
--- ---
router with public IP router with public IP
--- ---
| |
| |
| |
| dA' NET |
-----------------------------------------
|
|
|
---
router with public IP
---
|
Network C
10.0.0.0/25


Situation.

The router on network C is running linux kernel 2.6.4 with ipsec and
ISAKMPD for IKE. This box is used as a VPN concentrator. The problem,
illustrated in the diagram is fairly apparent - Both networks A and B
have the same address range, and for reasons beyond my control I
cannot re-number either. Both tunnels also need to be on
simultaneously. I have googled till exaustion with no return. The
closest I get to an example is a double NAT solution, that doesn't
really map across. I was thinking that a solution could be to
translate the Network A and B subnets to unique networks. using
POSTROUTING and PREROUTING iptable chains. The problem is that ipsec
on 2.6 does create user level interfaces (I can't see them) so I can't
use iptables to translate and then route via the ipsec interface.

2.6 seems to attach the tunnel directly to the machine, which you then
bind to any local interface.

I'm all out of ideas. HELP!!!


Any comments suggestions or alternatives solutions welcome....
Thanks

Jansen

Jansen wrote:

> I really hope an IPSEC guru can enlighten me on the following..
>
> Using:
>
> Linux Kernel 2.6.4 using kernel level ipsec
> ISAKMPD as the IKE daemon
> Small office routers running on NET A & B
>
>
> Topology as follows:
>
>
> Network A Network B
> 192.168.0.0/24 192.168.0.0/24
> --- ---
> router with public IP router with public IP
> --- ---
> | |
> | |
> | |
> | dA' NET |
> -----------------------------------------
> |
> |
> |
> ---
> router with public IP
> ---
> |
> Network C
> 10.0.0.0/25
>
>
> Situation.
>
> The router on network C is running linux kernel 2.6.4 with ipsec and
> ISAKMPD for IKE. This box is used as a VPN concentrator. The problem,
> illustrated in the diagram is fairly apparent - Both networks A and B
> have the same address range, and for reasons beyond my control I
> cannot re-number either. Both tunnels also need to be on
> simultaneously. I have googled till exaustion with no return. The
> closest I get to an example is a double NAT solution, that doesn't
> really map across. I was thinking that a solution could be to
> translate the Network A and B subnets to unique networks. using
> POSTROUTING and PREROUTING iptable chains. The problem is that ipsec
> on 2.6 does create user level interfaces (I can't see them) so I can't
> use iptables to translate and then route via the ipsec interface.
>
> 2.6 seems to attach the tunnel directly to the machine, which you then
> bind to any local interface.
>
> I'm all out of ideas. HELP!!!
>
>
> Any comments suggestions or alternatives solutions welcome....
> Thanks
>
> Jansen

unless netA and B are underused enough to have unique host on each segment,
ie: 192.168.0.51 only on netA, in which case you can assign static routes
on the netC router, I believe your going to have to nat netA or B at the
respective gateway.

put a case together on time and maintenance to make this work, you just
might make the 'reasons beyond my control' to be insignificant compared to
the benefit.

-riddler