Subnet to subnet using NAT

From Libreswan
Jump to: navigation, search

Using NAT to resolve an subnet IP conflict

VPNs often connect networks in the RFC-1918 address space, such as 10.0.0/8, or A problem arises when both ends use the same address space. One of the parties, will need to NAT their subnet to something else. For example

Remote end uses Local end uses

Ask the remote for a range they do not use, for example

Build a connection using these subnets:

conn vpn

then add the required iptables NAT rules that avoids bad interaction with existing rules or the IPsec processing:

iptables -I POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT
iptables -I POSTROUTING -s -d -o ethX -j SNAT --to-source

You can also try to map a /24 to /24 and have all your machines reachable on these alternative IP addresses, which should work using another iptables rule to DNAT 192.168.0.X/24 to 10.6.6.X/24