<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='color:#1F497D'>Hi Daniel,<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>Thanks for responding. I have not received any replies, yet. After researching this extensively, I suspect my issue may be a result of using the netkey protocol (default) vs klips. I don’t think netkey has the ability to route traffic between two local subnets. I can run tcpdump on the local openswan (hub) instance and see ICMP packets coming in from the Spokes.<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>My thinking is because the entire payload and header are encrypted, and without some mechanism (i.e., klips) to decipher it, the datagram doesn’t know where to go once it reaches Openswan (Hub)<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>But I could be wrong.<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>Thanks,<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>Leonard<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Daniel Cave [mailto:dan.cave@me.com] <br><b>Sent:</b> Monday, March 07, 2016 12:47 PM<br><b>To:</b> Leonard Wood<br><b>Cc:</b> users@lists.openswan.org<br><b>Subject:</b> Re: [Openswan Users] Hub-Spoke Configuration<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal><br>Hello Leonard <o:p></o:p></p></div><div id=AppleMailSignature><p class=MsoNormal><o:p> </o:p></p></div><div id=AppleMailSignature><p class=MsoNormal>Did you get any replies to this? <o:p></o:p></p></div><div id=AppleMailSignature><p class=MsoNormal><o:p> </o:p></p></div><div id=AppleMailSignature><p class=MsoNormal>I suspect you may be experiencing issues with firewall/security group/rules issues <o:p></o:p></p></div><div id=AppleMailSignature><p class=MsoNormal><o:p> </o:p></p></div><div id=AppleMailSignature><p class=MsoNormal>Have you tried establishing hub to spoke end connectivity on each side and end to end testing by connecting using netcat? <o:p></o:p></p></div><div id=AppleMailSignature><p class=MsoNormal><br>Sent from my iPhone<o:p></o:p></p></div><div><p class=MsoNormal style='margin-bottom:12.0pt'><br>On 2 Mar 2016, at 20:00, Leonard Wood <<a href="mailto:leonardw@ufl.edu">leonardw@ufl.edu</a>> wrote:<o:p></o:p></p></div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><p class=MsoNormal>Does anyone have any documentation on setting up a ‘hub and spoke’ configuration using Openswan?<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>I have a scenario where I am connecting both Azure and AWS to a single Openswan instance using each prospective provider’s VPN gateway. The tunnels come up and everything is fine with one exception. Resources deployed in Azure cannot communicate with resources deployed in Aws, and vice versa. Both can communicate with the Openswan instance, however. The route tables are correctly setup in AWS and Azure so I am convinced its my configuration.<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>I have two connection entries in the ipsec.conf<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>(Spoke1) Azure = 172.16.0.0/23<o:p></o:p></p><p class=MsoNormal>(Spoke2) AWS = 10.10.10.0/23<o:p></o:p></p><p class=MsoNormal>Hub Network = Openswan = 192.168.1.0/24<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>I am also using netkey for the protocol.<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>Any help with getting nodes in spoke 1 to communicate with nodes in spoke 2 would be greatly appreciated!<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p></div></blockquote><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman","serif"'>_______________________________________________<br><a href="mailto:Users@lists.openswan.org">Users@lists.openswan.org</a><br><a href="https://lists.openswan.org/mailman/listinfo/users">https://lists.openswan.org/mailman/listinfo/users</a><br>Micropayments: <a href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a><br>Building and Integrating Virtual Private Networks with Openswan:<br><a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a><o:p></o:p></span></p></div></blockquote></div></body></html>