[Openswan Users] Net-after-IPSec
Christian Tardif
christian.tardif at servinfo.ca
Fri Oct 1 01:02:56 CEST 2004
On Thu, 2004-09-30 at 07:55, Ted Kaczmarek wrote:
> > Plain IPsec has its limitations. For example, you won't be able to get
> > your way to a second (after the recorded subnet in IPsec config) subnet
> > (or am I misunderstanding something ?). And since I won't always have
> > control over the Panther machine on the other end, I must stay the
> > nearest standard possible.
> What do you mean by this?
>
> If you are saying the policy does not allow access to a different ip
> than what is allowed how is that a limitation?
With IPsec, you define, for example, left+leftsubet, and
right+rightsubnet:
left=24.200.202.43
leftsubnet=192.168.1.0/24
right=65.34.55.232
rightsubnet=192.168.2.0/24
So, I'm building an IPsec tunnel between left and right, allowing
traffic between leftsubnet and rightsubnet. Let's say I have five
offices linked together with IPsec tunnels, each tunnel defining a link
from a central network to one satellite. If I want satellite A to
communicate with satellite B thru their respective tunnels, I must build
a subtunnel into the IPsec tunnel in order to do that... Still
following ?
In my real case, I have a Panther machine on the Net that will link to
my central site. Plain IPsec can do that. But, once in this central
site, I have not less than 8 LAN's to reach. Unless I have something I
never understood, I can't do that directly with IPsec, for which reason
L2TP, or IPIP, or GRE (or whatever tunnel make) is needed.
Why L2TP in my case ? Because many Panther machines that will connect
are not under my control, so I must use what they already have when they
are shipped: IPsec/L2TP.
Sorry for that long explanation. I just wanted to make everything in my
mind (IPsec related :-)) very clear for everyone on this mailing list.
Does someone here has a working setup to connect a Panther IPsec/L2TP to
Openswan ?
--
Christian Tardif
ServInfo
Tél: 514.237.6332
christian.tardif at servinfo.ca
More information about the Users
mailing list