[Openswan Users] Routing Between VPNs

James Crow james at ultratans.com
Thu Feb 23 11:32:19 CET 2006


On Wednesday 22 February 2006 16:28, Paul Wouters wrote:
> On Wed, 22 Feb 2006, James Crow wrote:
> >   I now have a need to connect ~15 remote users who will need to connect
> > to the central LAN (where Openswan sits) and the remote LANs. Because
> > these 15 new users will all be connecting from dynamic IPs I wanted to
> > use something other than IPSec VPNs.
>
> Why do you want something other then IPsec VPNs?
IPsec VPNs with Win2k (and XP) in road warrior can be a little difficult for 
the user. If I use PSK then all users must have the same pass phrase. If I 
use X.509 then the users must import the keys. Once I have the tunnel it 
appears as thought I have to contend with L2TP to easily route traffic over 
the VPN.

  With OpenVPN when the user connects they have a virtual interface with an IP 
that I assign from the server. I can also push routes through to the Windows 
boxes.

  The install for OpenVPN is a single windows installer and then a couple of 
config files that must be copied. 
>
> >   I installed OpenVPN (SSL VPN product) on the Openswan box and can
> > connect to the Openswan box through this VPN.
> >
> >   Can I use this setup to route traffic coming in on the OpenVPN to the
> > Openswan box and then out to the remote LANs?
>
> As long as you have ipsec tunnels covering the source-destination
> combinations of IP addresses, it does not matter whether these packets
> come from local machines, or openvpn connected ones. that said, I have
> never combined the two on a single box.
>
> Paul

Here are the changes I made (and it is working):

On the IPsec tunnel I changed the config (leftsubnet in Openswan and the 
remote network in SonicWALL) to have the network 10.1.1.0/24. (The Openswan 
server has ip 10.1.1.1/25) My OpenVPN server has ip 10.1.1.130/25 and assigns 
ips 10.1.1.131 - 10.1.1.254.

When a client connects over OpenVPN they have three routes passed:
192.168.96.0 255.255.224.0
192.168.128.0 255.255.224.0
10.1.1.0 255.255.255.128
All three routes have the gateway as the OpenVPN server.

 The SonicWALLs see the IP of OpenVPN clients and route traffic to the 
Openswan box which knows how to route the traffic to the OpenVPN client. 

  The OpenVPN clients have static routes to all the SonicWALL sites that route 
through the Openswan box.

Everything is up and working.

Thanks to Paul and the others who replied off list.

Thanks,
James

-- 
James Crow
IT Manager
ULTRATAN, Inc.


More information about the Users mailing list