[Openswan Users] Net-after-IPSec

[Christian Tardif]

On Thu, 2004-09-30 at 07:55, Ted Kaczmarek wrote:

> > Plain IPsec has its limitations. For example, you won't be able to get
> > your way to a second (after the recorded subnet in IPsec config) subnet
> > (or am I misunderstanding something ?). And since I won't always have
> > control over the Panther machine on the other end, I must stay the
> > nearest standard possible.
> What do you mean by this?
> 
>  If you are saying the policy does not allow access to a different ip
> than what is allowed how is that a limitation?

With IPsec, you define, for example, left+leftsubet, and
right+rightsubnet:

left=24.200.202.43
leftsubnet=192.168.1.0/24
right=65.34.55.232
rightsubnet=192.168.2.0/24

So, I'm building an IPsec tunnel between left and right, allowing
traffic between leftsubnet and rightsubnet. Let's say I have five
offices linked together with IPsec tunnels, each tunnel defining a link
from a central network to one satellite. If I want satellite A to
communicate with satellite B thru their respective tunnels, I must build
a subtunnel into the IPsec tunnel in order to do that...  Still
following ?

In my real case, I have a Panther machine on the Net that will link to
my central site. Plain IPsec can do that. But, once in this central
site, I have not less than 8 LAN's to reach. Unless I have something I
never understood, I can't do that directly with IPsec, for which reason
L2TP, or IPIP, or GRE (or whatever tunnel make) is needed.

Why L2TP in my case ?  Because many Panther machines that will connect
are not under my control, so I must use what they already have when they
are shipped: IPsec/L2TP.

Sorry for that long explanation. I just wanted to make everything in my
mind (IPsec related   :-)) very clear for everyone on this mailing list.

Does someone here has a working setup to connect a Panther IPsec/L2TP to
Openswan ?

-- 
Christian Tardif
ServInfo
Tél: 514.237.6332
christian.tardif at servinfo.ca