[Openswan Users] Routing on a bigger network

John A. Sullivan III jsullivan at opensourcedevel.com
Mon Jan 31 12:45:25 CET 2005


Dave Stubbs wrote:
> John A. Sullivan III wrote:
> 
>> Dave Stubbs wrote:
>>
>>> Hello all,
>>>
>>> I have the following setup:
>>>
>>>
>>> 10.151.169.32/27 --+ 10.151.137.32/27 --+-- router -- 
>>> 10.151.177.64/27 -------+
>>> 10.151.178.0/24 ---+                                     |
>>> 10.151.128.0/24 ---+                                 LinuxServer
>>>                                                         |
>>>                                                        VPN
>>>                                                         |
>>> 10.135.202.192/27 -+                                 LinuxServer
>>> 10.135.200.0/24 ---+                                     |
>>> 10.135.201.0/24 ---+-- router -- 10.135.202.224/27 ------+
>>> 10.135.203.224/27 -+
>>>
>>> The VPN is an OpenSWAN IPSec tunnel through the internet, and each 
>>> immediate network at the end of the VPN is connected to lots of other 
>>> networks via various methods.  I've only shown 4 of them on each 
>>> side, but there are actually many more.  OpenSWAN works great for the 
>>> two subnets immediately attached to the two Linux Servers, but I want 
>>> to be able to have a machine on the 10.151.169.32/27 network able to 
>>> connect to a machine on the 10.130.203.224/27 segment.
>>> The main group of networks at the top could be summarized as 
>>> 10.151.0.0/16 and the bottom ones could be summarized as 
>>> 10.135.0.0/16 but not necessary.  There are plans to hook the top 
>>> part to another whole pile - say, 10.148.0.0/16.
>>>
>>> It would be really nice to put OSPF on the two linux servers and have 
>>> them propagate routes through the VPN, but I'm reading that this is 
>>> not possible because OpenSWAN uses "policies", not "routes".  Is 
>>> there any example of how to do this?
>>> Thanks,
>>>
>>> Dave...
>>> _______________________________________________
>>> Users mailing list
>>> Users at openswan.org
>>> http://lists.openswan.org/mailman/listinfo/users
>>>
>> We are working on a project that will automatically create all the 
>> various connection definitions for you when you define the direct and 
>> indirectly connected networks on the gateway.  Unfortunately, ISCS is 
>> not ready yet (http://iscs.sourceforge.net).  I do not know if any one 
>> else has such an automated configurator available - John
>>
> That looks interesting, however, I don't mind working with text config 
> files - I just can't find examples of how to do this type of connection.
> 
> Another thing I'm wondering about - this whole limitation seems tied to 
> the OpenSWAN design decision to not provide routable interfaces for 
> VPNs.  Many other types of VPNs do provide this (for instance, OpenVPN) 
> - is there a rationale behind the decision not to do this with 
> OpenSWAN?  From what I can tell, it severely limits OpenSWAN's 
> usefulness in larger setups.
> 
> Dave...
> 
It's pretty much as you have already indicated.  You will need a 
connection definition for every possible combination of networks behind 
the two gateways.

I'm not sure of the rationale behind the non-routing virtual interfaces. 
  If I was to hazard a guess, I would guess that its predecessor, 
FreeS/WAN antedates the netfilter hooks.

I am only just beginning to play with the 2.6 IPSec implementation.  I 
do not know if that will provide an easier solution for you.  Other than 
that, as far as I know, it is manual text files or an automated 
configurator - John
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com

Financially sustainable open source development
http://www.opensourcedevel.com


More information about the Users mailing list