Re: [Leaf-user] ipsec gateways same private networks ???
Suppose that there are two (2) Dachstein-CD firewalls masquerading two (2) distinct internal networks that happen to use the same private subnets (e.g., 192.168.1.0/24). http://freeswan.org/freeswan_trees/freeswan-1.91/doc/config.html is pretty emphatic: ``Note, however, that the two subnets must have distinct addresses. You cannot have them both masqueraded to the same range of RFC 1918 addresses.'' Again, this must be a fairly common problem. As you know, we prefer *not* to change any network addressing . . . What to do if both networks are using same private subnet ??? You've basically got two options. You can re-number the networks, or you can try to setup an extruded subnet with FreeS/WAN. Both will cause some headache, but IMHO, by far the easiest solution is to simply renumber your networks. If you're running DHCP, this is usually not much of a problem...if you're not, you should start. Especially if you're planning on connecting the two networks with a VPN and you're running MS clients, you'll want as many systems as possible using DHCP so you can setup the netbios-node type, WINS server, and other parameters required to get cross-subnet browsing working cleanly without having to configure each system manually. If you really wish to persue the extruded subnet option, see the FreeS/WAN docs for how to do this and some of the limitations you'll incur. NOTE: IIRC, you have to divide the subnet into routable sections (ie it's not like proxy-arp...the 'master' end of the extruded subnet simply divides off a routable chunk of the subnet and sends it down the VPN), so you'll probably have to re-number your network anyway... Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] ipsec gateways same private networks ???
On the topic of re-numbering networks: I have recently installed DachCD, and noticed the comments in network.conf for eth1 specify DO NOT CHANGE. I assume this is due to some hard-coded instances of this explicit IP, rather than a variable. I noticed in the weblet config, 192.168.1.254 is given explicitly. Where might I find a resource listing all script reconfigs necessary to re- number the private network? I tried a search through the LEAF archives, but couldn't find anything that nailed it. I am also looking at an IPSec tunnel between two sites, and I'd like to have a clean from scratch start on it. Thanks, Dan ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] ipsec gateways same private networks ???
On the topic of re-numbering networks: I have recently installed DachCD, and noticed the comments in network.conf for eth1 specify DO NOT CHANGE. I assume this is due to some hard-coded instances of this explicit IP, rather than a variable. I noticed in the weblet config, 192.168.1.254 is given explicitly. Where might I find a resource listing all script reconfigs necessary to re- number the private network? I tried a search through the LEAF archives, but couldn't find anything that nailed it. I am also looking at an IPSec tunnel between two sites, and I'd like to have a clean from scratch start on it. There's no complete list...perhaps you could take notes and start one? Off the top of my head, you will need to edit/re-configure the following files/services if you change the internal network settings: - /etc/network.conf - /etc/hosts.allow - weblet - dhcpd - dnscache There may be others...if you could take notes on exactly what files/settings require changing, I'll add it to the documentation. Thanks, and good luck! Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] ipsec gateways same private networks ???
Charles, I will poke around in the places you mentioned, and document what I find. I also caught part of a November thread in which there was talk of formalizing some beginner-level doc for the CD distro --- did that ever come about? If not, I could be talked into it --- I'm an infinitely qualified beginner :) That kind of stuff helps cement my own knowledge, and if the doc helps people, it's icing on the cake. If someone has already done it, I won't try to reinvent, though... Dan Quoting Charles Steinkuehler [EMAIL PROTECTED]: On the topic of re-numbering networks: I have recently installed DachCD, and noticed the comments in network.conf for eth1 specify DO NOT CHANGE. I assume this is due to some hard-coded instances of this explicit IP, rather than a variable. I noticed in the weblet config, 192.168.1.254 is given explicitly. Where might I find a resource listing all script reconfigs necessary to re- number the private network? I tried a search through the LEAF archives, but couldn't find anything that nailed it. I am also looking at an IPSec tunnel between two sites, and I'd like to have a clean from scratch start on it. There's no complete list...perhaps you could take notes and start one? Off the top of my head, you will need to edit/re-configure the following files/services if you change the internal network settings: - /etc/network.conf - /etc/hosts.allow - weblet - dhcpd - dnscache There may be others...if you could take notes on exactly what files/settings require changing, I'll add it to the documentation. Thanks, and good luck! Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] ipsec gateways same private networks ???
I will poke around in the places you mentioned, and document what I find. I also caught part of a November thread in which there was talk of formalizing some beginner-level doc for the CD distro --- did that ever come about? If not, I could be talked into it --- I'm an infinitely qualified beginner :) That kind of stuff helps cement my own knowledge, and if the doc helps people, it's icing on the cake. If someone has already done it, I won't try to reinvent, though... I haven't done any work on documentation since then. I'm sure any comments you could make or jot down would be welcome and help future users. Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] ipsec gateways same private networks ???
This must be a common problem ; Suppose that there are two (2) Dachstein-CD firewalls masquerading two (2) distinct internal networks that happen to use the same private subnets (e.g., 192.168.1.0/24). http://freeswan.org/freeswan_trees/freeswan-1.91/doc/config.html is pretty emphatic: ``Note, however, that the two subnets must have distinct addresses. You cannot have them both masqueraded to the same range of RFC 1918 addresses.'' Again, this must be a fairly common problem. As you know, we prefer *not* to change any network addressing . . . What to do if both networks are using same private subnet ??? What do you think? -- Best Regards, mds mds resource 888.250.3987 Dare to fix things before they break . . . Our capacity for understanding is inversely proportional to how much we think we know. The more I know, the more I know I don't know . . . ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] ipsec gateways same private networks ???
On Sat, 29 Dec 2001, Michael D. Schleif wrote: This must be a common problem ; Suppose that there are two (2) Dachstein-CD firewalls masquerading two (2) distinct internal networks that happen to use the same private subnets (e.g., 192.168.1.0/24). http://freeswan.org/freeswan_trees/freeswan-1.91/doc/config.html is pretty emphatic: ``Note, however, that the two subnets must have distinct addresses. You cannot have them both masqueraded to the same range of RFC 1918 addresses.'' Again, this must be a fairly common problem. As you know, we prefer *not* to change any network addressing . . . Sometimes you don't get what you want. What to do if both networks are using same private subnet ??? Don't link them. What do you think? I think you are about to touch the back of your heels with the back of your head. Stop before you hurt yourself. :) I also think changing one of the networks is easier than changing both of them. --- Jeff NewmillerThe . . Go Live... DCN:[EMAIL PROTECTED]Basics: ##.#. ##.#. Live Go... Live: OO#.. Dead: OO#.. Playing Research Engineer (Solar/BatteriesO.O#. #.O#. with /Software/Embedded Controllers) .OO#. .OO#. rocks...2k --- ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] ipsec gateways same private networks ???
I ran into this problem - it was a pretty easy change - I changed my subnet to 192.168.2.0/24 and altered all programs that specify a listen on IP as 192.168.1.254 and everything was good. Now I have a VPN between two dachstein routers (yaay). This is actually one of the very cool things about Dachstein/LEAF, because AFAIK most linksys type routers are kind of hard coded with the ip block S From: Michael D. Schleif [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: LEAF [EMAIL PROTECTED] Subject: [Leaf-user] ipsec gateways same private networks ??? Date: Sat, 29 Dec 2001 15:45:10 -0600 This must be a common problem ; Suppose that there are two (2) Dachstein-CD firewalls masquerading two (2) distinct internal networks that happen to use the same private subnets (e.g., 192.168.1.0/24). http://freeswan.org/freeswan_trees/freeswan-1.91/doc/config.html is pretty emphatic: ``Note, however, that the two subnets must have distinct addresses. You cannot have them both masqueraded to the same range of RFC 1918 addresses.'' Again, this must be a fairly common problem. As you know, we prefer *not* to change any network addressing . . . What to do if both networks are using same private subnet ??? What do you think? -- Best Regards, mds mds resource 888.250.3987 Dare to fix things before they break . . . Our capacity for understanding is inversely proportional to how much we think we know. The more I know, the more I know I don't know . . . ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user _ Join the worlds largest e-mail service with MSN Hotmail. http://www.hotmail.com ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
