> Suppose that there are two (2) Dachstein-CD firewalls masquerading two > (2) distinct internal networks that happen to use the same private > subnets (e.g., 192.168.1.0/24). > > <http://freeswan.org/freeswan_trees/freeswan-1.91/doc/config.html> is > pretty emphatic: > > ``Note, however, that the two subnets must have distinct addresses. You > cannot have them both masqueraded to the same range of RFC 1918 > addresses.'' > > Again, this must be a fairly common problem. As you know, we prefer > *not* to change any network addressing . . . > > What to do if both networks are using same private subnet ???
You've basically got two options. You can re-number the networks, or you can try to setup an "extruded subnet" with FreeS/WAN. Both will cause some headache, but IMHO, by far the easiest solution is to simply renumber your networks. If you're running DHCP, this is usually not much of a problem...if you're not, you should start. Especially if you're planning on connecting the two networks with a VPN and you're running MS clients, you'll want as many systems as possible using DHCP so you can setup the netbios-node type, WINS server, and other parameters required to get cross-subnet browsing working cleanly without having to configure each system manually. If you really wish to persue the extruded subnet option, see the FreeS/WAN docs for how to do this and some of the limitations you'll incur. NOTE: IIRC, you have to divide the subnet into routable sections (ie it's not like proxy-arp...the 'master' end of the extruded subnet simply divides off a routable chunk of the subnet and sends it down the VPN), so you'll probably have to re-number your network anyway... Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
