Checkpoint Endpoint Security VPN with linux

[Shachar Shemesh]

On 21/03/11 09:43, Baruch Siach wrote:
> Hi Shachar,
>
> On Mon, Mar 21, 2011 at 04:51:43AM +0200, Shachar Shemesh wrote:
>    
>>
>> I think so.
>>
>> Instead of me trying to explain it to you, why don't you just try to
>> draw the network topology you think will solve the problem. I
>> believe that will give you the answer you are seeking.
>>      
> A VPN client may do one-to-one NAT of one (or more) remote hosts, and map
> these hosts to a netmask that does not interfere with local host's routing
> table.  I'm not sure whether there is such a VPN client, but it is still a
> theoretical solution to this problem.
>
> baruch
>
>    

We have a remote network 10.0.0.0/22, which are actually four /24 
networks, but I'm digressing.

Our computer has the IP address of 10.17.17.17/8 with a default route 
set to 10.0.0.1. This is our problem.

Your proposed solution: the VPN client performs a NAT that translates 
10.0.0.0/22 to 172.16.0.0/22 so that there is no conflict.

My question - what happens if the local network I'm on is not just the 
local network, but a slightly more complex setup? Furthermore, what 
happens if the more complex setup means that I need, as part of my LOCAL 
work, to access the peer network (routable via 10.0.0.1) that is also 
172.16.0.0/22? Your new routing table hides it.

Granted, local address translation solves 90% of the problem, but not 
100% of it. Instead, I'll suggest that choosing (for the office space) 
10.42.32.0/22 as the address resolves the problem to much larger 
percentage of the cases, with no address translation needed. The chances 
that this particular block will be used by the hotel are miniscule, and 
this route, being /22, takes precedence over the /8 route used by the hotel.

Shachar


-- 
Shachar Shemesh
Lingnu Open Source Consulting Ltd.
http://www.lingnu.com