[Openswan Users] Routing on a bigger network
John A. Sullivan III
jsullivan at opensourcedevel.com
Mon Jan 31 12:47:52 CET 2005
Dave Stubbs wrote:
> John A. Sullivan III wrote:
>
>> Dave Stubbs wrote:
>>
>>> Hello all,
>>>
>>> I have the following setup:
>>>
>>>
>>> 10.151.169.32/27 --+ 10.151.137.32/27 --+-- router --
>>> 10.151.177.64/27 -------+
>>> 10.151.178.0/24 ---+ |
>>> 10.151.128.0/24 ---+ LinuxServer
>>> |
>>> VPN
>>> |
>>> 10.135.202.192/27 -+ LinuxServer
>>> 10.135.200.0/24 ---+ |
>>> 10.135.201.0/24 ---+-- router -- 10.135.202.224/27 ------+
>>> 10.135.203.224/27 -+
>>>
>>> The VPN is an OpenSWAN IPSec tunnel through the internet, and each
>>> immediate network at the end of the VPN is connected to lots of other
>>> networks via various methods. I've only shown 4 of them on each
>>> side, but there are actually many more. OpenSWAN works great for the
>>> two subnets immediately attached to the two Linux Servers, but I want
>>> to be able to have a machine on the 10.151.169.32/27 network able to
>>> connect to a machine on the 10.130.203.224/27 segment.
>>> The main group of networks at the top could be summarized as
>>> 10.151.0.0/16 and the bottom ones could be summarized as
>>> 10.135.0.0/16 but not necessary. There are plans to hook the top
>>> part to another whole pile - say, 10.148.0.0/16.
>>>
>>> It would be really nice to put OSPF on the two linux servers and have
>>> them propagate routes through the VPN, but I'm reading that this is
>>> not possible because OpenSWAN uses "policies", not "routes". Is
>>> there any example of how to do this?
>>> Thanks,
>>>
>>> Dave...
>>> _______________________________________________
>>> Users mailing list
>>> Users at openswan.org
>>> http://lists.openswan.org/mailman/listinfo/users
>>>
>> We are working on a project that will automatically create all the
>> various connection definitions for you when you define the direct and
>> indirectly connected networks on the gateway. Unfortunately, ISCS is
>> not ready yet (http://iscs.sourceforge.net). I do not know if any one
>> else has such an automated configurator available - John
>>
> That looks interesting, however, I don't mind working with text config
> files - I just can't find examples of how to do this type of connection.
>
> Another thing I'm wondering about - this whole limitation seems tied to
> the OpenSWAN design decision to not provide routable interfaces for
> VPNs. Many other types of VPNs do provide this (for instance, OpenVPN)
> - is there a rationale behind the decision not to do this with
> OpenSWAN? From what I can tell, it severely limits OpenSWAN's
> usefulness in larger setups.
>
> Dave...
>
It's pretty much as you have already indicated. You will need a
connection definition for every possible combination of networks behind
the two gateways.
I'm not sure of the rationale behind the non-routing virtual interfaces.
If I was to hazard a guess, I would guess that its predecessor,
FreeS/WAN antedates the netfilter hooks.
I am only just beginning to play with the 2.6 IPSec implementation. I
do not know if that will provide an easier solution for you. Other than
that, as far as I know, it is manual text files or an automated
configurator - John
--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com
Financially sustainable open source development
http://www.opensourcedevel.com
More information about the Users
mailing list