[Openswan dev] scalable configuration

John Denker jsd at av8n.com
Fri Oct 3 02:00:40 EDT 2008

I added a section

which says:

It is important to design things so that they scale properly.

If you have N hosts fully connected with IPsec tunnels, that 
requires a total of N^2 “conn” declarations, all different. 
Each host only needs N of these “conn” declarations in its 
ipsec.conf file, but that doesn’t address the underlying issue: 
where did all those declarations come from? I don’t want to 
have a central database containing N^2 of anything. That would 
defeat the raison d’être of asymmetric cryptography.

Constructive suggestion: It is perfectly possible to keep 
a central database with only N entries, one for each IPsec 
endpoint. Indeed, each of the entries is quite simple, 
recording only the hostname, subnet configuration (if any), 
and the RSA public key of the endpoint. Here’s an example:

 # RSA 2192 bits   foo  Sat Sep 27 18:16:53 2008

I store that information in a “.pub” file, one file per endpoint.

I have a script that takes two .pub files and creates the “conn” 
declaration suitable for connecting the two endpoints.  Given 
the information in the .pub files, everything else needed for 
the “conn” declaration can be figured out by consulting DNS and
consulting the routing tables (plus some logic and arithmetic).

An alpha version of the script is at 
This is a rough draft, but better than nothing.

I would like to see this functionality integrated into openswan. 
In my opinion, stuff like “interfaces=...” and “leftnexthop=...” 
do not belong in the ipsec.conf file. And the IPsec packets 
should be routed according to the actual routes, not the 
“defaultroute”. Everything that can be figured out at runtime 
should be figured out at runtime.

More information about the Dev mailing list