[Openswan dev] scalable configuration
jsd at av8n.com
Fri Oct 3 02:00:40 EDT 2008
I added a section
It is important to design things so that they scale properly.
If you have N hosts fully connected with IPsec tunnels, that
requires a total of N^2 “conn” declarations, all different.
Each host only needs N of these “conn” declarations in its
ipsec.conf file, but that doesn’t address the underlying issue:
where did all those declarations come from? I don’t want to
have a central database containing N^2 of anything. That would
defeat the raison d’être of asymmetric cryptography.
Constructive suggestion: It is perfectly possible to keep
a central database with only N entries, one for each IPsec
endpoint. Indeed, each of the entries is quite simple,
recording only the hostname, subnet configuration (if any),
and the RSA public key of the endpoint. Here’s an example:
# RSA 2192 bits foo Sat Sep 27 18:16:53 2008
I store that information in a “.pub” file, one file per endpoint.
I have a script that takes two .pub files and creates the “conn”
declaration suitable for connecting the two endpoints. Given
the information in the .pub files, everything else needed for
the “conn” declaration can be figured out by consulting DNS and
consulting the routing tables (plus some logic and arithmetic).
An alpha version of the script is at
This is a rough draft, but better than nothing.
I would like to see this functionality integrated into openswan.
In my opinion, stuff like “interfaces=...” and “leftnexthop=...”
do not belong in the ipsec.conf file. And the IPsec packets
should be routed according to the actual routes, not the
“defaultroute”. Everything that can be figured out at runtime
should be figured out at runtime.
More information about the Dev