[Openswan Users] Multiple Tunnel Setup

Norman Rasmussen normanr at gmail.com
Tue Jul 26 19:37:48 CEST 2005 

How about swapping from PSKs to Certs :-)  

That way you have a strong identifier for the remote end of the
connection, no matter what it's IP address is.  (and a more secure
network)

On 26/07/05, Jeremy Mann <jmann at integracarehh.com> wrote:
> I am limited on my public IP addresses, and would like some suggestions
> on how to setup multiple incoming tunnels that share one IP address on
> the openswan server.  My biggest problem is that two of my sites are
> fixed ip address, while one is dynamic dsl. Am I correct in assuming
> that in the following config, if one of my fixed IP address sites sees a
> connection related to it's address, it will pick it up and never hit the
> right=%any section?  I ask because obviously I have my 192.168.191.x
> netblock segmented for each remote site I have.  How would I accomplish
> this connection if I had more than one dynamic ip address host?
> 
> ipsec.conf
> version 2.0
> config setup
>     nat_traversal=yes
>     forwardcontrol=yes
> 
> conn fixed-ip-site1
>     right=A.B.C.D # this connections static IP
>     rightsubnet=192.168.191.0/27
>     also main-tunnel-config
> 
> conn fixed-ip-site2
>     right=E.F.G.H #this connections static IP
>     rightsubnet=192.168.191.193/27
>     also main-tunnel-config
> 
> conn dynamic-ip-site3
>     right=%any
>     rightsubnet=192.168.191.224/27
>     also main-tunnel-config
> 
> conn main-tunnel-config
>     left=216.158.I.J #my fixed IP address of the openswan server
>     leftsubnet=192.168.0.0/16
>     leftnexthop=216.158.I.K # my gateway
>     leftupdown="ipsec _updown2"
>     type=tunnel
>     authby=secret
>     pfs=no
>     auto=add
>     keyingtries=%forever
>     ikelifetime=8h
> 
> 
> ipsec.secrets
> 
> 216.158.I.J A.B.C.D: PSK "key1"
> 216.158.I.J E.F.G.H: PSK "key2"
> 216.158.I.J %any: PSK "key3"
> 
> Thanks for any help...
> 
> Jeremy Mann
> _______________________________________________
> Users mailing list
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> 


-- 
- Norman Rasmussen
 - Email: norman at rasmussen.co.za
 - Home page: http://norman.rasmussen.co.za/

More information about the Users mailing list