[Openswan Users] Problem with vpn network

Paul Wouters paul at xtdnet.nl
Fri Jan 21 14:09:56 CET 2005


On Fri, 21 Jan 2005, Nicole.Haehnel wrote:

> We have 4 vpnservers with static ips (VPN1 VPN4) and about 6 vpnservers  (PC1 
> -PC6) with dynamic ips connectet over dsl.

Great :)

> The problem are the dynamic ips, which I don't know to connect them.

Can this not be solved with WINS or AD (hostname in dns through dynamic update)?

> Now I have the problem that connections were completely lost or
> "ipsec look" says the tunnel is still there but I can't send any package, no 
> ping or something else is going through the tunnel.
> And it's most on VPN1.
> Maybe to many tunnels on VPN1?

That should not matter.

> We have also one server behind a dsl router with vpn passthrough function. 
> There are two tunnels to VPN1 with different networks.
> Tunnels working, but after a few hours I can't ping, although the tunnels are 
> up.
> It's because the dsl router?

I doubt it, but it is possible the router does something wrong. But it would
show up in the openswan logs as an error.

> Hown can I build our vpn network better or with fewer tunnels?

I can't really tell from this description. But it seems using WINS or AD should
fix the problem of not knowing which IP a machine has, and then you wouldn't
need as many tunnels if I understand you correctly.

> Maybe only one tunnel from PC1 - PC6 to VPN1 - VPN4 and then with routing 
> entries to the other locations.
> Do I need ipsec eroute to do that?

Yes, you can only do this with KLIPS, since it uses a longest prefix first match
for eroutes. So you can have a 10.0.0.0/8 to the central hub, and a 10.b.c.0/24
using one tunnel on the leaf.

Paul
-- 

"At best it is a theory, at worst a fantasy" -- Michael Crichton



More information about the Users mailing list