<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
In that case I *think* you use the the following:<br>
Site A: leftsubnet = 10.10.0.0/16, rightsubnets =
{192.168.1.0/24,172.16.0.0/24}<br>
<br>
Site B, leftsubnet = 172.16.0.0/24, rightsubnets =
{192.168.1.0/24,10.10.0.0/16}<br>
<br>
Site C 2 conns, has the reverse of the other two (or they can be the
same but then it will be "right" in its conns)<br>
<br>
If you have the chance to change subnets, also try to get C off
192.168.1.0/24. That and 192.168.0.0/24 are too common and can give
you issues if you ever want roadwarriors to connect to it. You can
also run into very hard to diagnose problems adding in other
networking kit such as routers acting as WAP's.<br>
<br>
Nick<br>
<blockquote cite="mid:005901d17014$921a9ed0$b64fdc70$@ufl.edu"
type="cite">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 14 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
span.EmailStyle17
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:"Consolas","serif";
color:black;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D">Thank you for
responding. Site B subnet can change as it’s not required
to be that large. For example purposes, lets now assume
Site B private subnet is 172.16.0.0/24.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Thanks!<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">
Nick Howitt [<a class="moz-txt-link-freetext" href="mailto:nick@howitts.co.uk">mailto:nick@howitts.co.uk</a>] <br>
<b>Sent:</b> Thursday, February 25, 2016 4:14 PM<br>
<b>To:</b> Leonard Wood; <a class="moz-txt-link-abbreviated" href="mailto:users@lists.openswan.org">users@lists.openswan.org</a><br>
<b>Subject:</b> Re: [Openswan Users] Cross Site
Connectivity<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt">Hmm. Generally
for VPN's subnets should not overlap at either end of the
tunnel or the routing fails. Site B has a massive subnet,
10.0.0.0 - 10.255.255.255 (16,777,216 addresses).
Unfortunately subnet A is entirely in Site B's subnet. Does
site B need such a big subnet or can site B change to another
subnet (either in the 172.16.0.0/12 range or 192.168.0.0/16
range but not 192.168.0.0/24 which is not a good subnet and
is, in any case, being used at site C).<br>
<br>
The problem you have is that site B sees 10.10.0.0/16 as local
to itself so won't route traffic to Site A down the VPN.<br>
<br>
Nick<o:p></o:p></p>
<div>
<p class="MsoNormal">On 25/02/2016 21:00, Leonard Wood wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal">I have a single Openswan deployment
(2.6.38/K4.2.0-27-generic) currently connected to two
sites—Site A and Site B. Let’s call my OpenSwan deployment
Site C.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">I need to have Site A private subnet
communicate with Site B private subnet, and vice versa.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Site A Private Subnet = 10.10.0.0/16<o:p></o:p></p>
<p class="MsoNormal">Site B Private Subnet = 10.0.0.0/8<o:p></o:p></p>
<p class="MsoNormal">Site C Private Subnet = 192.168.1.0/24
(OpenSwan Deployment Subnet)<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">As of current, I can only communicate
to/from Site A from Site C and I can only communicate
to/from Site B from Site C. <o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Any suggestions how to accomplish cross
site connectivity so Site A and communicate with Site B
through Site C and vice versa?<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Secondly, do you see any security
concerns with this approach? Could traffic be intercepted or
read in plaintext from my OpenSwan instance (Site C) since
it’s essentially acting as MITM?<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Many thanks in advance!<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Leo<o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman","serif""><br>
<br>
<br>
<o:p></o:p></span></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre><a moz-do-not-send="true" href="mailto:Users@lists.openswan.org">Users@lists.openswan.org</a><o:p></o:p></pre>
<pre><a moz-do-not-send="true" href="https://lists.openswan.org/mailman/listinfo/users">https://lists.openswan.org/mailman/listinfo/users</a><o:p></o:p></pre>
<pre>Micropayments: <a moz-do-not-send="true" href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a><o:p></o:p></pre>
<pre>Building and Integrating Virtual Private Networks with Openswan:<o:p></o:p></pre>
<pre><a moz-do-not-send="true" href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a><o:p></o:p></pre>
</blockquote>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman","serif""><o:p> </o:p></span></p>
</div>
</blockquote>
<br>
</body>
</html>