[Openswan Users] Openswan 2.3 with multiple remote networks that are dynamic

[Kristopher Lalletti]

Hello Paul,

Thanks for the prompt reply.

I was left under the impression that for receiving multiple leaf-nodes without knowing their IP address, it was required for me to use aggressive mode. I'm not the IPSEC expert; however, I think the protocol does not permit identifying the remote ID before an IPSEC session is established.

So far, after a bit of testing, it seems like you cannot have multiple tunnels defined with OpenSwan with the right=%any and expecting the proper association with the proper rightid=@someFQDN for IKE PSK authentication.

Is this the impression I'm getting?

So far, the possible scenarios I have eliminated:
- I can't use the classic Road-Warrior type (1 to many) IPSEC association, since each remote site has their own subnet, and I need to access the remote subnet when they are connected.

- I can't use the classic Net-to-Net type (many to many) IPSEC association, since the remote peer is dynamic.

- I can't use Certificates since the remote peers don't support X509 certs.

- I can't use RSASIG key signatures, since the remote peers don't support RSA signatures.

Which leaves to possibly 3 scenarios left:
- PSK with IKE peer id's with aggressive mode (or main mode, if feasible).
- Replace the remote endpoints and use the one of the previously excluded scenarios.
- Take the old VPN firewall server, put it in the DMZ, and call it a day.

Did I forget anything?

Kris

-----Original Message-----
From: Paul Wouters [mailto:paul at xelerance.com] 
Sent: June 23, 2005 11:38 PM
To: Kristopher Lalletti
Cc: 'users at openswan.org'
Subject: Re: [Openswan Users] Openswan 2.3 with multiple remote networks that are dynamic

On Thu, 23 Jun 2005, Kristopher Lalletti wrote:

> I've got a particular network scenario to which I wanted to validate and see if its actually feasible.  Essentially,
> we're talking about several remote networks terminated with IPSEC gateways to which their IP address is dynamic. All
> these remote networks actively initiate a connection to connect to OpenSwan  (central node) via Phase1-Aggressive mode
> with PSK and local/remote peer id's.

I would definately not recommend this scenario.
When connecting to an openswan server, aggressive mode should never be used. Use main mode instead.
Using dynamic IP with PSK is tricky. You will need to specify the proper ID's. I do not think this is
even possible combined with aggressive mode.
   
> I've got one to connect successfully, having my right=%any , however, when I start adding several tunnel/peer
> definitions in /etc/ipsec.conf, only the first peer declaration is used, and evidently, nothing works.  Any
> suggestions to getting this scenario working would be greatly appreciated.  So far, I'm thinking of having a remote
> trigger, that would detect the remote peer IP address (via a web service), and re-write/update the ipsec.conf to
> substitute the %any with the remote peer IP, and reload that connection definition.  But, there must be a more elegant
> solution that that!

Clearly, that is not the way to go.
Instead, check what features your leave-node IPsec devices have, and use them to create roadwarrior-type setups.

Paul