[Openswan Users] ipsec & multicast over gre

jarek jarek_z at localhost
Tue Oct 4 17:58:08 CEST 2005 

Am Dienstag, den 04.10.2005, 10:26 -0400 schrieb Michael Jurney:
> Paul Wouters wrote:
> 
> >
> > Yup. Ken did a talk about enterprise VPN's at Linux Kongress in 2003:
> >
> >     http://www.xelerance.com/talks/lk2003/
> 
> 
> Thank you for the pointer.  There's one thing I'm not sure of, though:  
> Am I setting up a tunnel between the inside and outside interfaces of 
> each gateway, between the inside interfaces of both gateways, or between 
> the outside interfaces of both gateways?
> 
> Given:
>                         openswan1
>                   ----------------------
> {172.16.32.0/24}--| (eth1) 172.16.32.1 | 
>                   | 10.1.1.100 (eth0)  |--+
>                   ----------------------  |
>                                           |
>                                           {untrusted network}
>                        openswan2          |
>                  ---------------------    |
>                  | 10.2.2.100 (eth0) |----+
> {172.16.8.0/24}--| (eth1) 172.16.8.1 |
>                  ---------------------
> 
> I want broadcast traffic from 172.16.32.0/24 entering eth1 on openswan1 
> to emit from eth1 on openswan2 onto the segment for 172.16.8.0/24 (and 
> vice-versa).
> 
> Is there:
> 
> one gre tunnel between 10.1.1.100 and 10.2.2.100
> one gre tunnel between 172.16.32.1 and 172.16.8.1
> two gre tunnels, one between 172.16.32.1 and 10.1.1.100, and another 
> between 172.16.8.1 and 10.2.2.100?

you need one tunnel beatween the inner interfaces (LANs) of the gateway.
tunnel0 at NONE: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 16236 qdisc noqueue
    link/gre 192.168.200.222 peer 192.168.0.146
    inet 10.12.2.1/32 scope global tunnel0
the tunnel need then an ip address which you can setup with the ifconfig
or ip command.

Issue following commands:

on openswan1:
------------------------------------------------------------------
modprobe ip_gre
ip tunnel add tunnel0 mode gre local 172.16.32.1 remote 172.16.8.1
ifconfig tunnel0 up 172.25.0.2 netmask 255.255.255.252
------------------------------------------------------------------

on openswan2:
------------------------------------------------------------------
modprobe ip_gre
ip tunnel add tunnel0 mode gre local 172.16.8.1 remote 172.16.32.1
ifconfig tunnel0 up 172.25.0.1 netmask 255.255.255.252
------------------------------------------------------------------

Futhermore you have to configure ipsec for a host-to-host connection
e.g.
on openswan1: leftsubnet=172.16.32.1/32
and on openswan2: leftsubnet=172.16.8.1/32

finally add a routes to your remote nets via a tunnel device or via an
ip address of the tunnel device

or maybe you would like to do this with an ipcop and dynamic routing?

More information about the Users mailing list