In order to give you a more detailed reply, I will need to more fully read through the IP maize you describe.  However, at first glance, the conflicting address ranges sounds like it is a real problem and this can keep you from being able to connect.

Remember, that addresses in the 10. range will not default to a public route, so you will need to join them via a VPN tunnel.  Having established a tunnel, your routing table needs to be configured with the device (your VPN device) that knows how to route traffic there.  

I think you have  problem where the address range is designated as belonging to multiple adapters with different routing domains: one local, one virtual.  As a result, traffic will get lost as there is no way to distinguish whether it should go to the VPN or to the local LAN.

 

I probably could have done a better job to explain all of this.  I was in a bit of a hurry to explain all of this.

Firewall address - 10.1.20.27
Local LANs - 10.1.0.0/16 & 10.188.136.0/22

Current VPN tunnel is established to remote network.
Tunnel - Local 172.30.6.33/32 ---> Remote 10.1.123.240/32

As you can see, they have assigned me to NAT my address.  I have already built my tunnel and it is up and connected.  Obviously no data is passing because of all of the addressing concerns.

Best I can tell, I need to build a dummy interface on the firewall using the address scheme 172.30.6.33.  This would make the address a valid address, making it visible to the remote network over the tunnel, right?  They actually gave me an entire range, 172.30.6.32/29, so if I need extras to build a default route, I can do that as well.

Assuming what I am thinking is correct about the dummy interface, my next thought would be to use iptables DNAT and SNAT to redirect the source address and destination addresses two and from the remote network using the 172.30.6.32 address from the firewall.

Basically telling iptables to take anything from the remote 10.1.123.240/32 and readdress the source address to 172.30.6.33 and send it to the destination on the network, 10.188.136.160.

Next I would have to build another SNAT/DNAT to accept connections on the firewall address 172.30.6.33 from my internal host 10.188.136.160.  iptables would have to readdress the source address as 172.30.6.32 and readdress the destination address as 10.1.123.240 over the IPSec tunnel.

I realize I would probably have to build a route on the firewall for the 10.1.123.240/32 because the firewall would get confused and think that the address is on the local lan.  How would I do that as well?  I have the interface ipsec0, so I am assuming I would just build the route for 10.1.123.240/32 dest to dev interface ipsec0?

Thanks for any and all help.  I am very comfortable with tunnels and routing, but this who DNAT and SNAT with duplicate networks is just a little over my head.  I am anxious to learn though, and think this is extremely interesting to build and learn from.

Ken

 

bump

I was able to resolve the issue.  Here are the lines of code I used to accomplish this, and allow me to establish a VPN connection to a remote site that used a duplicate address scheme/range.

This line is to create a new adapter, or new interface.  I am using the lo, which is the loopback adapter.  I used my own made up address, but feel free to use your own.



After creating these rules, I just built a tunnel in OpenSWAN.  The local subnet was 172.30.6.33/32 and the remote subnet was <Remote IP Address>/32.  As you can see, I set this up for port 7050, but you can use your own port, or I believe you can use a range by specifying 7050-7060...

I hope this helps someone, as I was desperate for a solution, and I couldn't find anyone that has posted and documentation on how to do this.  I read documentation on OpenSwan and FreeSwan and they both specified that you had to have separately numbered networks, and they could not have an overlap in IP address ranges.  Example, both using 192.168.1.0/255.255.255.0.  By using this technique, I was able to do just that, and to them, I appeared as a complete different address.  To me, they appeared as this bogus address as well, making it very nice.

The best part is, I feel more secure than just a wide open tunnel.  Before I would have just had a wide open tunnel to that internal IP address.  But now I am using SNAT and DNAT and am only forwarding packets that are the right ports.  All other traffic will be dropped at the VPN server.

If this does help, please mark it at the bottom!

Good luck!

I am giving you a star, both for posting the solution you discovered and for the creativity of your solution.  Creating an alias loop back interface and then creating a NAT bridge on it - really good thinking!