<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<blockquote type="cite">I have two connection entries in the
ipsec.conf</blockquote>
<br>
I've done spoke-hub with ipsec in the distant past.<br>
<br>
IIRC, you need either one connection entry (spoke A-to-spoke B), or
three connection entries (spoke A-to-spoke B, spoke A to localnet,
and spoke B to localnet). What exactly do you have configured for
the left and right networks of your existing two(?) connections?<br>
<br>
-Jon<br>
<br>
<div class="moz-cite-prefix">On 3/7/2016 10:55 PM, Leonard Wood
wrote:<br>
</div>
<blockquote cite="mid:000301d178f6$c75d8d60$5618a820$@ufl.edu"
type="cite">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 14 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D">Hi Daniel,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Thanks for
responding. I have not received any replies, yet. After
researching this extensively, I suspect my issue may be a
result of using the netkey protocol (default) vs klips. I
don’t think netkey has the ability to route traffic between
two local subnets. I can run tcpdump on the local openswan
(hub) instance and see ICMP packets coming in from the
Spokes.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">My thinking is
because the entire payload and header are encrypted, and
without some mechanism (i.e., klips) to decipher it, the
datagram doesn’t know where to go once it reaches Openswan
(Hub)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">But I could be
wrong.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Thanks,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Leonard<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">
Daniel Cave [<a class="moz-txt-link-freetext" href="mailto:dan.cave@me.com">mailto:dan.cave@me.com</a>] <br>
<b>Sent:</b> Monday, March 07, 2016 12:47 PM<br>
<b>To:</b> Leonard Wood<br>
<b>Cc:</b> <a class="moz-txt-link-abbreviated" href="mailto:users@lists.openswan.org">users@lists.openswan.org</a><br>
<b>Subject:</b> Re: [Openswan Users] Hub-Spoke
Configuration<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal"><br>
Hello Leonard <o:p></o:p></p>
</div>
<div id="AppleMailSignature">
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div id="AppleMailSignature">
<p class="MsoNormal">Did you get any replies to this? <o:p></o:p></p>
</div>
<div id="AppleMailSignature">
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div id="AppleMailSignature">
<p class="MsoNormal">I suspect you may be experiencing issues
with firewall/security group/rules issues <o:p></o:p></p>
</div>
<div id="AppleMailSignature">
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div id="AppleMailSignature">
<p class="MsoNormal">Have you tried establishing hub to spoke
end connectivity on each side and end to end testing by
connecting using netcat? <o:p></o:p></p>
</div>
<div id="AppleMailSignature">
<p class="MsoNormal"><br>
Sent from my iPhone<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
On 2 Mar 2016, at 20:00, Leonard Wood <<a
moz-do-not-send="true" href="mailto:leonardw@ufl.edu"><a class="moz-txt-link-abbreviated" href="mailto:leonardw@ufl.edu">leonardw@ufl.edu</a></a>>
wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal">Does anyone have any documentation on
setting up a ‘hub and spoke’ configuration using Openswan?<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">I have a scenario where I am connecting
both Azure and AWS to a single Openswan instance using
each prospective provider’s VPN gateway. The tunnels come
up and everything is fine with one exception. Resources
deployed in Azure cannot communicate with resources
deployed in Aws, and vice versa. Both can communicate
with the Openswan instance, however. The route tables are
correctly setup in AWS and Azure so I am convinced its my
configuration.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">I have two connection entries in the
ipsec.conf<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">(Spoke1) Azure = 172.16.0.0/23<o:p></o:p></p>
<p class="MsoNormal">(Spoke2) AWS = 10.10.10.0/23<o:p></o:p></p>
<p class="MsoNormal">Hub Network = Openswan = 192.168.1.0/24<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">I am also using netkey for the
protocol.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Any help with getting nodes in spoke 1
to communicate with nodes in spoke 2 would be greatly
appreciated!<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</blockquote>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman","serif"">_______________________________________________<br>
<a moz-do-not-send="true"
href="mailto:Users@lists.openswan.org">Users@lists.openswan.org</a><br>
<a moz-do-not-send="true"
href="https://lists.openswan.org/mailman/listinfo/users">https://lists.openswan.org/mailman/listinfo/users</a><br>
Micropayments: <a moz-do-not-send="true"
href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a><br>
Building and Integrating Virtual Private Networks with
Openswan:<br>
<a moz-do-not-send="true"
href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a><o:p></o:p></span></p>
</div>
</blockquote>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
<a class="moz-txt-link-abbreviated" href="mailto:Users@lists.openswan.org">Users@lists.openswan.org</a>
<a class="moz-txt-link-freetext" href="https://lists.openswan.org/mailman/listinfo/users">https://lists.openswan.org/mailman/listinfo/users</a>
Micropayments: <a class="moz-txt-link-freetext" href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a>
Building and Integrating Virtual Private Networks with Openswan:
<a class="moz-txt-link-freetext" href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a></pre>
</blockquote>
<br>
</body>
</html>