Thanks for your reply @ms
Sadly that’s not possible. The customers demand that we use their hardware. We can’t even configure the hardware, the VPN Routers come completely preconfigured. We give them an IP and a local network, they send us their hardware, we plug it in, and it works.
We’d also like to use IPFire for their IPSec, but they won’t allow that.
Yes that is a “plan B”, but our current internet plan only provides one public IP. We are located in germany, so no AT&T for us…
We are already in the talks to get multiple public IPs to our office, but we don’t know the details yet, so I am trying to see if we can get the VPN running using only one public IP, by separating the incoming traffic based on where it comes from.
I was trying to look if it is possible, for example say
“I receive a packet from IP [CustomerXY IPSec public Gateway], so I redirect this packet to [CustomerXY Router in DMZ]”
Basically what I was trying to explain is that the customer IPSec tunnel expects a different IP than we have configured for our IPFire router. So we’d need to NAT between GREEN and the target customer network.
We use private IPs in the subnet 10.0.0.0/24 for our office.
However, the IPSec Router of the customer expects IPfire to behave as if the packets are coming from an IP within 172.0.0.0/29, lets say 172.0.0.1. Our current IPSec router, a Lancom device, allows us to configure that within the IPSec settings. In IPFire, in the IPSec settings, we need to set “local subnet” to 172.0.0.0/29, but then it seems as if a route from 10.0.0.0/24 (GREEN) ↔ 172.0.0.0/29 is missing.
Now, this “virtual” 172.0.0.0/29 isn’t even the target customer network. that would be even another network, for example 160.0.0.0/24.
The traffic would look like this:
FROM (Green) NAT TO 172.0.0.1 ← IPSec Tunnel → (customer network) ← target machine 160.0.0.x
I am currently reading into NETMAP, if that’s the correct solution for our problem.
Here is a (german) thread about a similar problem, they also couldn’t get it to work: IPFire Community