[Openswan Users] Multiple Tunnel Setup

Jeremy Mann jmann at integracarehh.com
Fri Jul 29 09:11:09 CEST 2005 

Can't do that, the gateway devices don't support Certs, only PSK.

Norman Rasmussen wrote:

>How about swapping from PSKs to Certs :-)  
>
>That way you have a strong identifier for the remote end of the
>connection, no matter what it's IP address is.  (and a more secure
>network)
>
>On 26/07/05, Jeremy Mann <jmann at integracarehh.com> wrote:
>  
>
>>I am limited on my public IP addresses, and would like some suggestions
>>on how to setup multiple incoming tunnels that share one IP address on
>>the openswan server.  My biggest problem is that two of my sites are
>>fixed ip address, while one is dynamic dsl. Am I correct in assuming
>>that in the following config, if one of my fixed IP address sites sees a
>>connection related to it's address, it will pick it up and never hit the
>>right=%any section?  I ask because obviously I have my 192.168.191.x
>>netblock segmented for each remote site I have.  How would I accomplish
>>this connection if I had more than one dynamic ip address host?
>>
>>ipsec.conf
>>version 2.0
>>config setup
>>    nat_traversal=yes
>>    forwardcontrol=yes
>>
>>conn fixed-ip-site1
>>    right=A.B.C.D # this connections static IP
>>    rightsubnet=192.168.191.0/27
>>    also main-tunnel-config
>>
>>conn fixed-ip-site2
>>    right=E.F.G.H #this connections static IP
>>    rightsubnet=192.168.191.193/27
>>    also main-tunnel-config
>>
>>conn dynamic-ip-site3
>>    right=%any
>>    rightsubnet=192.168.191.224/27
>>    also main-tunnel-config
>>
>>conn main-tunnel-config
>>    left=216.158.I.J #my fixed IP address of the openswan server
>>    leftsubnet=192.168.0.0/16
>>    leftnexthop=216.158.I.K # my gateway
>>    leftupdown="ipsec _updown2"
>>    type=tunnel
>>    authby=secret
>>    pfs=no
>>    auto=add
>>    keyingtries=%forever
>>    ikelifetime=8h
>>
>>
>>ipsec.secrets
>>
>>216.158.I.J A.B.C.D: PSK "key1"
>>216.158.I.J E.F.G.H: PSK "key2"
>>216.158.I.J %any: PSK "key3"
>>
>>Thanks for any help...
>>
>>Jeremy Mann
>>_______________________________________________
>>Users mailing list
>>Users at openswan.org
>>http://lists.openswan.org/mailman/listinfo/users
>>
>>    
>>
>
>
>  
>

More information about the Users mailing list