<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Site A needs 1 conn to C<br>
Site B needs 1 conn to C<br>
Therefore it follows that Site C needs 2 conns, A to C and B to C.<br>
<br>
Remember I only said I *think*. It would be a lot easier if you
connected A to B directly.<br>
<br>
An alternative way (or perhaps the way) of doing it is here:
<a class="moz-txt-link-freetext" href="https://libreswan.org/wiki/Subnet_extrusion">https://libreswan.org/wiki/Subnet_extrusion</a><br>
<br>
Nick<br>
<br>
<div class="moz-cite-prefix">On 26/02/2016 19:30, Leonard Wood
wrote:<br>
</div>
<blockquote cite="mid:008b01d170cc$2ba3cf10$82eb6d30$@ufl.edu"
type="cite">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 14 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
@font-face
{font-family:"Times New Roman \, serif";
panose-1:0 0 0 0 0 0 0 0 0 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";
color:black;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;
color:black;}
span.EmailStyle19
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle20
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle21
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";
color:black;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D">Thanks Nick.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">I will work on
adjusting the subnets per your advice.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">One item of
clarification, are you suggesting that I need a 3<sup>rd</sup>
conn entry in the ipsec.conf for Site C?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">conn SiteA<o:p></o:p></span></p>
<p class="MsoNormal">leftsubnet = 10.10.0.0/16, rightsubnets =
{192.168.1.0/24,172.16.0.0/24}<span style="color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">conn SiteB<o:p></o:p></span></p>
<p class="MsoNormal">leftsubnet = 172.16.0.0/24, rightsubnets =
{192.168.1.0/24,10.10.0.0/16}<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">conn SiteC<o:p></o:p></p>
<p class="MsoNormal">??<span style="color:#1F497D"><o:p></o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">
Nick Howitt [<a class="moz-txt-link-freetext" href="mailto:nick@howitts.co.uk">mailto:nick@howitts.co.uk</a>] <br>
<b>Sent:</b> Thursday, February 25, 2016 5:11 PM<br>
<b>To:</b> Leonard Wood; <a class="moz-txt-link-abbreviated" href="mailto:users@lists.openswan.org">users@lists.openswan.org</a><br>
<b>Subject:</b> Re: [Openswan Users] Cross Site
Connectivity<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">In that case I *think* you use the the
following:<br>
Site A: leftsubnet = 10.10.0.0/16, rightsubnets =
{192.168.1.0/24,172.16.0.0/24}<br>
<br>
Site B, leftsubnet = 172.16.0.0/24, rightsubnets =
{192.168.1.0/24,10.10.0.0/16}<br>
<br>
Site C 2 conns, has the reverse of the other two (or they can
be the same but then it will be "right" in its conns)<br>
<br>
If you have the chance to change subnets, also try to get C
off 192.168.1.0/24. That and 192.168.0.0/24 are too common and
can give you issues if you ever want roadwarriors to connect
to it. You can also run into very hard to diagnose problems
adding in other networking kit such as routers acting as
WAP's.<br>
<br>
Nick<br>
<br>
<o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">Thank you for
responding. Site B subnet can change as it’s not required
to be that large. For example purposes, lets now assume
Site B private subnet is 172.16.0.0/24.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">Thanks!</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"> </span><o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">
Nick Howitt [<a moz-do-not-send="true"
href="mailto:nick@howitts.co.uk">mailto:nick@howitts.co.uk</a>]
<br>
<b>Sent:</b> Thursday, February 25, 2016 4:14 PM<br>
<b>To:</b> Leonard Wood; <a moz-do-not-send="true"
href="mailto:users@lists.openswan.org">users@lists.openswan.org</a><br>
<b>Subject:</b> Re: [Openswan Users] Cross Site
Connectivity</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt">Hmm. Generally
for VPN's subnets should not overlap at either end of the
tunnel or the routing fails. Site B has a massive subnet,
10.0.0.0 - 10.255.255.255 (16,777,216 addresses).
Unfortunately subnet A is entirely in Site B's subnet. Does
site B need such a big subnet or can site B change to another
subnet (either in the 172.16.0.0/12 range or 192.168.0.0/16
range but not 192.168.0.0/24 which is not a good subnet and
is, in any case, being used at site C).<br>
<br>
The problem you have is that site B sees 10.10.0.0/16 as local
to itself so won't route traffic to Site A down the VPN.<br>
<br>
Nick<o:p></o:p></p>
<div>
<p class="MsoNormal">On 25/02/2016 21:00, Leonard Wood wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal">I have a single Openswan deployment
(2.6.38/K4.2.0-27-generic) currently connected to two
sites—Site A and Site B. Let’s call my OpenSwan deployment
Site C.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">I need to have Site A private subnet
communicate with Site B private subnet, and vice versa.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Site A Private Subnet = 10.10.0.0/16<o:p></o:p></p>
<p class="MsoNormal">Site B Private Subnet = 10.0.0.0/8<o:p></o:p></p>
<p class="MsoNormal">Site C Private Subnet = 192.168.1.0/24
(OpenSwan Deployment Subnet)<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">As of current, I can only communicate
to/from Site A from Site C and I can only communicate
to/from Site B from Site C. <o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Any suggestions how to accomplish cross
site connectivity so Site A and communicate with Site B
through Site C and vice versa?<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Secondly, do you see any security
concerns with this approach? Could traffic be intercepted or
read in plaintext from my OpenSwan instance (Site C) since
it’s essentially acting as MITM?<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Many thanks in advance!<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Leo<o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New Roman
, serif","serif""><br>
<br>
<br>
<br>
</span><o:p></o:p></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre><a moz-do-not-send="true" href="mailto:Users@lists.openswan.org">Users@lists.openswan.org</a><o:p></o:p></pre>
<pre><a moz-do-not-send="true" href="https://lists.openswan.org/mailman/listinfo/users">https://lists.openswan.org/mailman/listinfo/users</a><o:p></o:p></pre>
<pre>Micropayments: <a moz-do-not-send="true" href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a><o:p></o:p></pre>
<pre>Building and Integrating Virtual Private Networks with Openswan:<o:p></o:p></pre>
<pre><a moz-do-not-send="true" href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a><o:p></o:p></pre>
</blockquote>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New Roman ,
serif","serif""> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman","serif""><o:p> </o:p></span></p>
</div>
</blockquote>
<br>
</body>
</html>