[Openswan Users] A more complex set of IPSEC tunnels

Greg Scott GregScott at InfraSupportEtc.com
Fri Jul 28 02:18:15 CEST 2006

I am setting up a modified star config with 8 sites, but with IPSEC
tunnels instead of traditional frame/T1 circuits.  I'll name the sites A
through H.  Site A is in the middle and will have tunnels to all the
other sites.  So there will be tunnels A-B, A-C, A-D, and so on.
Depending on usage patterns, I will also set up tunnels between other
sites to make the network a partial mesh.  For example - if site B needs
to communicate frequently to site E, I could set up B-E and E-B tunnels.
So the network will end up being a partial mesh.
Site A, the middle site, is split into two subnets - 10.44.1.nnn and
10.13.1.nnn.  Site B has one subnet, 10.15.1.nnn.  I am running a proof
of concept linking the 10.13.1.nnn LAN at site A with an IPSEC tunnel to
site B and it performs very well.  
I am trying to figure out some things:
1 - How to route 10.44.1.nnn thru 10.13.nnn in site A across the IPSEC
tunnel to site B
2 - The best way,  in general, to route from any site through site A to
any other site.
3 - The best way to dynamically calculate routes when I set up
additional IPSEC tunnels, making the network a partial mesh.  
For (1) - I already have IPSEC tunnels linking 10.13.1.nnn at site A
with 10.15.1.nnn at site B.  Does it make the most sense to just set up
another set of IPSEC tunnels linnking 10.44.1.nnn with 10.15.nnn?  
For (3), I am guessing I want to set up a routing protocol such as OSPF
using quagga?  Or would static routes with appropriate metrics be OK?  
I've been reading about setting up GRE tunnels over IPSEC and trying to
understand how this makes life better and I don't get it.  Page 260 of
Paul Wouters' Openswan book discusses setting up GRE tunnels to reduce
the number of IPSEC tunnels.  So in my case - let's say I want to
"directly" connect sites D and E without routing through A.  (I know it
isn't really direct because it's a tunnel.)  Would I set up D-E and E-D
GRE tunnels?  But that doesn't make sense because I wouldn't have
encryption for D-E traffic.  I would want IPSEC tunnels between D and E.
How do GRE tunnels fit in?  How do GRE tunnels reduce the number of
IPSEC tunnels?
Let's say both F and G have a bunch of subnets behind their gateways.
In my case they don't, but let's say they do.  Is this where GRE tunnels
come in?  So I would do IPSEC F-G and G-F tunnels and then then GRE on
top of that and route all the subnets on both sides through the GRE
There is also a new set of ip xfrm commands and it looks like these
commands allow me to set some sort of policy about what goes through
IPSEC tunnels and what doesn't.  But this is different than OE policies
- this looks like some sort of routing policy?  These might be useful
with my 10.44.1.nnn routing challenge.   I studied everything I can find
but have not been able to find any documentation on what ip xfrm is all
about or how to use it or if it is relevant.  Any documentation
- Greg Scott
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20060728/acb1f5aa/attachment-0001.htm

More information about the Users mailing list