On 06/07/07 10:40, noa levy wrote:
Well, I agree with you in principle, but it's been this way for
years, so routing practices are in place to handle it. I'm trying to
recreate the setup we have now, which is using commercial VPN
gateways, with Linux-based ones, but the addressing scheme is a
given, I have no control over it.
Ah, you have a "Double NAT scenario". What fun.
In short, you have two networks with the same subnet A.B.C.x/24 that
need to talk to each other. So, you make each network think that the
other is D.E.F.x/24. This way, either network can reach the other
network by using the D.E.F.x/24 addresses.
Traditionally, double NAT is done on two different systems b/c of
conflicts. However I suspect that it could be done on one system with
multiple routing tables. I'll have to think on this as to how to
possibly make this happen. I'd need you to do some testing on your end
to let me know if it would work or not as I don't have a test bed that
will encompasses this at present.
With the traditional double nat, you have a fake subnet that is remapped
in to the local network. The routers know how to get between each other
using the fake network.
A.B.C.x/24 <router A> --- (vpn) --- <router B> A.B.C.x/24
Router A thinks that D.E.F.x/24 is available via router B.
Router B thinks that D.E.F.x/24 is available via router A.
Both router A and router B do a network map to translate any incoming
traffic destined to D.E.F.x/24 to A.B.C.x/24. Thus when any traffic
comes in to either router from A.B.C.9 destined to D.E.F.3, it DNATs the
traffic down to A.B.C.3 AND SNATs the traffic up to D.E.F.9. Thus the
real receiving host will see traffic from D.E.F.9 to A.B.C.3. With the
real receiving host having what it thinks to be valid source and
destination IPs, it can communicate just like normal. When the real
receiving host replies to the real sending host, the traffic goes out to
D.E.F.9. Then the other router will see traffic coming in from A.B.C.3
to D.E.F.9 it will DNAT the traffic to be to A.B.C.9 and SNAT the
traffic to be from D.E.F.3. Notice how we now have a complete
by-directional route between two very different subnets that share the
same subnet address space? Interesting isn't it? Complex though as it
is, it does work and is done a LOT.
See if this helps you at all.
Seeing as how your subnets were suppose to be set up identically I'm
going to presume that servers and routers on the subnets have the same
IP addresses. Thus, you would probably be able to get away using NETMAP
target. I.e.
iptables -t nat -A PREROUTING -i $WAN -d D.E.F.x/24 -j NETMAP --to
A.B.C.x/24
iptables -t nat -A POSTROUTING -o $LAN -s A.B.C.x/24 -j NETMAP --to
D.E.F.x/24
This should cause the NETMAPing to happen at the remote end of the vpn
link and (hopefully) not confuse the router at the local end of the vpn
link.
Grant. . . .
P.S. I said "fun right???". :0
