[Openswan Users] Hub and Spoke

Trevor Benson tbenson at a-1networks.com
Wed Jun 2 11:23:48 CEST 2004


On Wednesday, May 26, Paul Wouters wrote:


>
> On Wed, 26 May 2004, Trevor Benson wrote:
> 
> > Are there any good howto's on how to get openswan to do a hub and
spoke.
> > I did some testing with adjusting the tunnels subnet, but this just
> > broke the tunnel so traffic destined for the other network never
> > responded.  Do I need to manually add a route to the hub?
> 
> I assume you mean a setup like :
> 
>      A  B  C
>      \  | /
>     F-hub-E
> 
> If you now want to send traffic from A to C via IPsec on HUB, you
should
> make a conn on A and hub that specify A's subnet as right, and C's
subnet
> as
> left. you will need a similar conn on C and hub.
> 
> Unless you setup broader tunnels. Assume that A is 10.0.1.0/24, B is
> 10.1.2.0/24
> and C is 10.1.3.0/24, then you can define a tunnel from A with
10.1.0.0/16
> or perhaps even 10.0.0.0/8
> 
> Do not use 'route add whatever gw someIPatHub' because A will drop
those
> packets
> because it is lacking a proper IPsec policy for those packets.
> 
> Paul
> 


Paul,

   I have been thinking this over and something is perplexing me.  Below
A, B, C, D, E, F all want to pass traffic through G the hub.  How many
site to site connections would this require?  From your explanation it
sounds like about 12 VPN connections would be required on the hub, and
each spoke would require 2 VPN connections to the hub to alternate the
left and right subnets for traffic passing?  

   A  B  C
    \ | /
      G
    / | \
   D  E  F

   It almost seems as if it would cause problems trying to make large
hub and spokes work. It seems the spoke would not know which tunnel to
send traffic over for the endpoint it wish's to reach, unless you are
doubling traffic by traversing both tunnels?


Thanks for all the assistance so far, just trying to see what is
required to do larger hub and spokes. 

Thanks for the help,
Trevor Benson



More information about the Users mailing list