[Openswan Users] openswan multiple subnets

Peter McGill petermcgill at goco.net
Fri Feb 3 10:01:01 CET 2006 

> In an openswan config does anyone know whether you can have...
> leftsubnet=192.168.2.0/24,192.168.4.0/24
> i.e. define multiple subnets on the subnet line?

I'm pretty sure the answer to that is no.
However, you can accomplish the same thing, multiple subnets,
easily by defining multiple conn's between the same hosts.

When doing this, I prefer not to repeat all the information.
So I define a shared conn for all the shared information,
then more conn's for the separate subnet info that include
the shared conn via also= and alsoflip= like this:

conn stmarys-office-net-to-london-office-net
        also=stmarys-office
        leftsubnet=172.21.1.0/24
        alsoflip=london-office
        rightsubnet=172.21.0.0/16
        auto=start

conn stmarys-office-net-to-london-office-server
        also=stmarys-office
        leftsubnet=172.21.1.0/24
        alsoflip=london-office
        auto=start

conn stmarys-office-server-to-london-office-net
        also=stmarys-office
        alsoflip=london-office
        rightsubnet=172.21.0.0/16
        auto=start

conn stmarys-office-server-to-london-office-server
        also=stmarys-office
        alsoflip=london-office
        auto=start

conn paris-office-net-to-stmarys-office-net
        also=stmarys-office
        leftsubnet=172.21.1.0/24
        alsoflip=paris-office
        rightsubnet=172.21.13.0/24
        auto=start

etc...

conn london-office
        left=...<london public ip>...
        leftnexthop=%defaultroute
        leftid=@sheridan.london.goco.net
        leftrsasigkey=...<london public key>...

conn stmarys-office
        left=...<stmarys public ip>...
        leftnexthop=%defaultroute
        leftid=@delenn.stmarys.goco.net
        leftrsasigkey=...<stmarys public key>...

conn paris-office
        left=...<paris public ip>...
        leftnexthop=%defaultroute
        leftid=@sinclair.paris.goco.net
        leftrsasigkey=...<paris public key>...

etc...

This way with my 6 separate offices, they can share
almost the same config file, with very little changes.
If I need to update the key's or ip's then I just recopy the
bottom of the config to all the offices, since it doesn't change.


Peter McGill
Software Developer / Network Administrator
Gra Ham Energy Limited

More information about the Users mailing list