[Openswan Users] Hub and Spoke

Trevor Benson tbenson at a-1networks.com
Sat Jun 5 12:51:53 CEST 2004 

> > Is it possible in 1 site to site tunnel to define multiple
rightsubnets
> > or leftsubnets?  Or will it ignore all the extra subnets after the
> 
> You can define multiple subnets by having multiple stanzas that differ
> only by subnets.  Pluto will automatically use the same ISAKMP SA for
> them.


OK sounds good, I get better response from the hubs local subnet when I
try this method, as it still lets me reach it, but I do not reach past
it.  Here is a example and my ipsec.conf file.  All connections are
working properly for the initial site connections.  Still no tcpdump's,
but more information.  I will attempt to tcpdump today.  What would be
preferred, tcpdumping the ipsec0 interface that is being used for each
connection, or another interface?

Hub G = subnet 192.168.169.0

Spoke A = subnet 192.168.130.0

Spoke B = subnet 192.168.167.0

Spoke C = subnet 192.168.171.0

Hub G ipsec.conf settings:

conn SpokeA
        left=64.142.x.y
        leftnexthop=%defaultroute
        leftsubnet=192.168.169.0/255.255.255.0
        leftsubnet=192.168.171.0/255.255.255.0
        leftsubnet=192.168.167.0/255.255.255.0
        right=64.142.d.e
        rightsubnet=192.168.130.0/255.255.255.0
        rightnexthop=%defaultroute
        dpddelay=30
        dpdtimeout=120
        dpdaction=clear
        authby=secret
        auto=start

conn SpokeB
        left=64.142.x.y
        leftnexthop=%defaultroute
        leftsubnet=192.168.169.0/255.255.255.0
        leftsubnet=192.168.130.0/255.255.255.0
        leftsubnet=192.168.171.0/255.255.255.0
        right=64.142.j.k
        rightsubnet=192.168.167.0/255.255.255.0
        rightnexthop=%defaultroute
        dpddelay=30
        dpdtimeout=120
        dpdaction=clear
        authby=secret
        auto=start

conn SpokeC
        left=64.142.x.y
        leftnexthop=%defaultroute
        leftsubnet=192.168.169.0/255.255.255.0
        leftsubnet=192.168.130.0/255.255.255.0
        leftsubnet=192.168.167.0/255.255.255.0
        right=64.142.g.h
        rightsubnet=192.168.171.0/255.255.255.0
        rightnexthop=%defaultroute
        dpddelay=30
        dpdtimeout=120
        dpdaction=clear
        authby=secret
        auto=start


SpokeA ipsec.conf settings:

conn HubG
        left=64.142.d.e
        leftnexthop=%defaultroute
        leftsubnet=192.168.130.0/255.255.255.0
        right=64.142.x.y
        rightsubnet=192.168.169.0/255.255.255.0
        rightsubnet=192.168.171.0/255.255.255.0
        rightsubnet=192.168.167.0/255.255.255.0
        rightnexthop=%defaultroute
        dpddelay=30
        dpdtimeout=120
        dpdaction=hold
        authby=secret
        auto=start

SpokeB ipsec.conf settings:

conn HubG
        left=64.142.j.k
        leftnexthop=%defaultroute
        leftsubnet=192.168.167.0/255.255.255.0
        right=64.142.x.y
        rightsubnet=192.168.169.0/255.255.255.0
        rightsubnet=192.168.171.0/255.255.255.0
        rightsubnet=192.168.130.0/255.255.255.0
        rightnexthop=%defaultroute
        dpddelay=30
        dpdtimeout=120
        dpdaction=hold
        authby=secret
        auto=start

SpokeC ipsec.conf settings:

conn HubG
        left=64.142.g.h
        leftnexthop=%defaultroute
        leftsubnet=192.168.171.0/255.255.255.0
        right=64.142.x.y
        rightsubnet=192.168.169.0/255.255.255.0
        rightsubnet=192.168.130.0/255.255.255.0
        rightsubnet=192.168.167.0/255.255.255.0
        rightnexthop=%defaultroute
        dpddelay=30
        dpdtimeout=120
        dpdaction=hold
        authby=secret
        auto=start


Thanks,
Trevor

More information about the Users mailing list