[Openswan Users] Hub and Spoke

Trevor Benson tbenson at a-1networks.com
Fri Jun 4 17:57:38 CEST 2004 

> -----Original Message-----
> From: Paul Wouters [mailto:paul at xelerance.com]
> Sent: Thursday, June 03, 2004 3:46 AM
> To: Trevor Benson
> Cc: Users at lists.openswan.org
> Subject: RE: [Openswan Users] Hub and Spoke
> 
> On Wed, 2 Jun 2004, Trevor Benson wrote:
> 
> > Paul,
> >
> >    I have been thinking this over and something is perplexing me.
Below
> > A, B, C, D, E, F all want to pass traffic through G the hub.  How
many
> > site to site connections would this require?  From your explanation
it
> > sounds like about 12 VPN connections would be required on the hub,
and
> > each spoke would require 2 VPN connections to the hub to alternate
the
> > left and right subnets for traffic passing?
> >
> >    A  B  C
> >     \ | /
> >       G
> >     / | \
> >    D  E  F
> 
> If you would make seperate tunnels for everything, you'd need 13.
> But if you make tunnels for each node from 10.0.X.0/24 to 10.0.0.0/8
you
> should probably be able to do it with one per node. Though this needs
to
> be verified.
> 
> Worst case, one IPsec tunnel with GRE tunnels inside could help you.
> 
> Paul

If anyone can test this I would be very grateful.  I cannot seem to get
it functioning at all I am not using version 2, so if that is in any way
related to problems, maybe that's my issue.  So far my testing with
version 1 has not given me any success.  If I change the subnet away
from the actual subnet the hub is on, nothing works at all. 

To clarify the tunnel does comes up, but if I try to ping the subnet
local to the hub all I get is Request Timed Out.  Pinging any other
subnet the hub is connected to that has the same configuration for hub
and spoke produces RTO's as well.  Adjusting the subnet appears to break
all functional communication.  

I have not run a tcpdump on the hub and spoke at the same time and
attempted pinging from both, but I will attempt to do so this weekend.

Is it possible in 1 site to site tunnel to define multiple rightsubnets
or leftsubnets?  Or will it ignore all the extra subnets after the
first, or before the last?  I was wondering if the subnet range being
adjusted is causing packets to be ignored by the local subnets, so
possibly being able to define multiple subnets for the hub in the spoke
and hub configuration would allow the correct routing?

Thanks,
Trevor Benson

More information about the Users mailing list