Dear Shorewall list, I need to connect a firewall to various remote sites (VPN''s) at the same time, but i do not have control of any of the remote subnets and/or the given IP address: The firewall is just a client in all of the VPN''s. So, as i see it, the remote subnets (mostly rfc1918) are doomed to get into conflict when they happen to be connected at the same time. For example: interface ip remote network ppp0 192.168.1.2 192.168.1.0/24 ppp1 192.168.1.3 192.168.1.0/24 (or even worse, when the firewall would have gotten the same IP twice) I am wondering whether i can tackle this by NETMAPping the different subnets to something that i do control, distinguishing the traffic using rules that contain the different interfaces. But then again, does that help? Isn''t the real problem in the fact that the firewall might have the same IP address twice on different interfaces? I fail to see if this can be done somehow. Any help is greatly appreciated... Thanks, -- - Pieter
Pieter Ennes wrote:> > I fail to see if this can be done somehow. Any help is greatly > appreciated... >Pieter, I don''t see how anything useful can be accomplished in this environment. With all of these VPNs with possibly duplicate addresses, it would seem that connections cannot be made OUT of any of these VPN links (how do you select which one and what host to connect to?). But if your network is providing a service (so that the remote clients connect to your service) then why are they the VPN servers? This whole arrangment doesn''t make sense to me. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Hi Tom, thanks for replying, On Sat, 2005-02-26 at 12:31 -0800, Tom Eastep wrote:> Pieter, > > I don''t see how anything useful can be accomplished in this environment. > With all of these VPNs with possibly duplicate addresses, it would seem > that connections cannot be made OUT of any of these VPN links (how do > you select which one and what host to connect to?). But if your network > is providing a service (so that the remote clients connect to your > service) then why are they the VPN servers? > > This whole arrangment doesn''t make sense to me.Well, we are in the service checking business, and now and then we want to be able to check *inside* a client''s network using their existing (roadwarrior) VPN setup. Most of the time, this would make our server a client to their VPN though, not leaving many degrees of freedom for us unfortunately. Cheers, -- - Pieter
Pieter Ennes wrote:> > Well, we are in the service checking business, and now and then we want > to be able to check *inside* a client''s network using their existing > (roadwarrior) VPN setup. Most of the time, this would make our server a > client to their VPN though, not leaving many degrees of freedom for us > unfortunately. >Is it not feasible to use multiple boxes for this checking with each box only connected to a single remote client at a time? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Hi again, On Sat, 2005-02-26 at 12:44 -0800, Tom Eastep wrote:> Pieter Ennes wrote: > > > Well, we are in the service checking business, and now and then we want > > to be able to check *inside* a client''s network using their existing > > (roadwarrior) VPN setup. Most of the time, this would make our server a > > client to their VPN though, not leaving many degrees of freedom for us > > unfortunately. > > > > Is it not feasible to use multiple boxes for this checking with each box > only connected to a single remote client at a time?Yes, i think a FIFO queue with some locking may be able to help us out aswell. Just one at a time on a box... Once again, thanks for your support Tom. Bye, -- - Pieter