[Openswan Users] Problem with vpn network

Nicole.Haehnel nicole.haehnel at gmx.net
Tue Jan 25 09:26:09 CET 2005 

Hi,

I can update my ips with dyndns.org.
I'll try this...

But I have still the problem with the dsl router.
Do I need nat-t to get it working right?
I don't see any errors in both openswan logfiles.
The tunnel is up and working, but after a few hours or days no packets 
go through the tunnel.
Restarting ipsec and the router does not help.


Thanks!

Nicole


Paul Wouters wrote:

> On Fri, 21 Jan 2005, Nicole.Haehnel wrote:
>
>> We have 4 vpnservers with static ips (VPN1 VPN4) and about 6 
>> vpnservers  (PC1 -PC6) with dynamic ips connectet over dsl.
>
>
> Great :)
>
>> The problem are the dynamic ips, which I don't know to connect them.
>
>
> Can this not be solved with WINS or AD (hostname in dns through 
> dynamic update)?
>
>> Now I have the problem that connections were completely lost or
>> "ipsec look" says the tunnel is still there but I can't send any 
>> package, no ping or something else is going through the tunnel.
>> And it's most on VPN1.
>> Maybe to many tunnels on VPN1?
>
>
> That should not matter.
>
>> We have also one server behind a dsl router with vpn passthrough 
>> function. There are two tunnels to VPN1 with different networks.
>> Tunnels working, but after a few hours I can't ping, although the 
>> tunnels are up.
>> It's because the dsl router?
>
>
> I doubt it, but it is possible the router does something wrong. But it 
> would
> show up in the openswan logs as an error.
>
>> Hown can I build our vpn network better or with fewer tunnels?
>
>
> I can't really tell from this description. But it seems using WINS or 
> AD should
> fix the problem of not knowing which IP a machine has, and then you 
> wouldn't
> need as many tunnels if I understand you correctly.
>
>> Maybe only one tunnel from PC1 - PC6 to VPN1 - VPN4 and then with 
>> routing entries to the other locations.
>> Do I need ipsec eroute to do that?
>
>
> Yes, you can only do this with KLIPS, since it uses a longest prefix 
> first match
> for eroutes. So you can have a 10.0.0.0/8 to the central hub, and a 
> 10.b.c.0/24
> using one tunnel on the leaf.
>
> Paul

More information about the Users mailing list