[Openswan Users] Problem with vpn network
Paul Wouters
paul at xtdnet.nl
Fri Jan 21 14:09:56 CET 2005
On Fri, 21 Jan 2005, Nicole.Haehnel wrote:
> We have 4 vpnservers with static ips (VPN1 VPN4) and about 6 vpnservers (PC1
> -PC6) with dynamic ips connectet over dsl.
Great :)
> The problem are the dynamic ips, which I don't know to connect them.
Can this not be solved with WINS or AD (hostname in dns through dynamic update)?
> Now I have the problem that connections were completely lost or
> "ipsec look" says the tunnel is still there but I can't send any package, no
> ping or something else is going through the tunnel.
> And it's most on VPN1.
> Maybe to many tunnels on VPN1?
That should not matter.
> We have also one server behind a dsl router with vpn passthrough function.
> There are two tunnels to VPN1 with different networks.
> Tunnels working, but after a few hours I can't ping, although the tunnels are
> up.
> It's because the dsl router?
I doubt it, but it is possible the router does something wrong. But it would
show up in the openswan logs as an error.
> Hown can I build our vpn network better or with fewer tunnels?
I can't really tell from this description. But it seems using WINS or AD should
fix the problem of not knowing which IP a machine has, and then you wouldn't
need as many tunnels if I understand you correctly.
> Maybe only one tunnel from PC1 - PC6 to VPN1 - VPN4 and then with routing
> entries to the other locations.
> Do I need ipsec eroute to do that?
Yes, you can only do this with KLIPS, since it uses a longest prefix first match
for eroutes. So you can have a 10.0.0.0/8 to the central hub, and a 10.b.c.0/24
using one tunnel on the leaf.
Paul
--
"At best it is a theory, at worst a fantasy" -- Michael Crichton
More information about the Users
mailing list