[Openswan Users] Multiple Tunnel Setup

Norman Rasmussen normanr at gmail.com
Fri Jul 29 18:25:41 CEST 2005 

afaik, there's no other way to give each endpoint it's own unique
identifier - which is required to do what you want to.

BTW: you only need to make your dynamic DSL use certs, the other two
static ip's can continue to use PSK.

On 29/07/05, Jeremy Mann <jmann at integracarehh.com> wrote:
> Can't do that, the gateway devices don't support Certs, only PSK.
> 
> Norman Rasmussen wrote:
> 
> >How about swapping from PSKs to Certs :-)
> >
> >That way you have a strong identifier for the remote end of the
> >connection, no matter what it's IP address is.  (and a more secure
> >network)
> >
> >On 26/07/05, Jeremy Mann <jmann at integracarehh.com> wrote:
> >
> >
> >>I am limited on my public IP addresses, and would like some suggestions
> >>on how to setup multiple incoming tunnels that share one IP address on
> >>the openswan server.  My biggest problem is that two of my sites are
> >>fixed ip address, while one is dynamic dsl. Am I correct in assuming
> >>that in the following config, if one of my fixed IP address sites sees a
> >>connection related to it's address, it will pick it up and never hit the
> >>right=%any section?  I ask because obviously I have my 192.168.191.x
> >>netblock segmented for each remote site I have.  How would I accomplish
> >>this connection if I had more than one dynamic ip address host?
> >>
> >>ipsec.conf
> >>version 2.0
> >>config setup
> >>    nat_traversal=yes
> >>    forwardcontrol=yes
> >>
> >>conn fixed-ip-site1
> >>    right=A.B.C.D # this connections static IP
> >>    rightsubnet=192.168.191.0/27
> >>    also main-tunnel-config
> >>
> >>conn fixed-ip-site2
> >>    right=E.F.G.H #this connections static IP
> >>    rightsubnet=192.168.191.193/27
> >>    also main-tunnel-config
> >>
> >>conn dynamic-ip-site3
> >>    right=%any
> >>    rightsubnet=192.168.191.224/27
> >>    also main-tunnel-config
> >>
> >>conn main-tunnel-config
> >>    left=216.158.I.J #my fixed IP address of the openswan server
> >>    leftsubnet=192.168.0.0/16
> >>    leftnexthop=216.158.I.K # my gateway
> >>    leftupdown="ipsec _updown2"
> >>    type=tunnel
> >>    authby=secret
> >>    pfs=no
> >>    auto=add
> >>    keyingtries=%forever
> >>    ikelifetime=8h
> >>
> >>
> >>ipsec.secrets
> >>
> >>216.158.I.J A.B.C.D: PSK "key1"
> >>216.158.I.J E.F.G.H: PSK "key2"
> >>216.158.I.J %any: PSK "key3"
> >>
> >>Thanks for any help...
> >>
> >>Jeremy Mann
> >>_______________________________________________
> >>Users mailing list
> >>Users at openswan.org
> >>http://lists.openswan.org/mailman/listinfo/users
> >>
> >>
> >>
> >
> >
> >
> >
> _______________________________________________
> Users mailing list
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> 


-- 
- Norman Rasmussen
 - Email: norman at rasmussen.co.za
 - Home page: http://norman.rasmussen.co.za/

More information about the Users mailing list