[Openswan Users] A more complex set of IPSEC tunnels

Fri Jul 28 15:22:38 CEST 2006

On Fri, 28 Jul 2006, Greg Scott wrote:

> I am setting up a modified star config with 8 sites, but with IPSEC
> tunnels instead of traditional frame/T1 circuits.  I'll name the sites A

> So the network will end up being a partial mesh.

> 1 - How to route 10.44.1.nnn thru 10.13.nnn in site A across the IPSEC
> tunnel to site B

You will need additional tunnels for all range you want to "route", unless
you setup a tunnel from the leave nodes to the central node covering it all,
eg a 10.a.b.c/24 to 10/8 tunnel on the nodes.

> 2 - The best way,  in general, to route from any site through site A to
> any other site.
> 3 - The best way to dynamically calculate routes when I set up
> additional IPSEC tunnels, making the network a partial mesh.

Dont do any routing. If the ipsec tunnels are brought up, they will be used.

> For (3), I am guessing I want to set up a routing protocol such as OSPF
> using quagga?  Or would static routes with appropriate metrics be OK?

That setup is mostly used when doing failover over two uplinks.

> I've been reading about setting up GRE tunnels over IPSEC and trying to
> understand how this makes life better and I don't get it.  Page 260 of
> Paul Wouters' Openswan book discusses setting up GRE tunnels to reduce
> the number of IPSEC tunnels.  So in my case - let's say I want to
> "directly" connect sites D and E without routing through A.  (I know it
> isn't really direct because it's a tunnel.)  Would I set up D-E and E-D
> GRE tunnels?  But that doesn't make sense because I wouldn't have
> encryption for D-E traffic.  I would want IPSEC tunnels between D and E.
> How do GRE tunnels fit in?  How do GRE tunnels reduce the number of
> IPSEC tunnels?

If you want to use GRE, you would still have to setup a full mesh of
tunnels, and then have OSPF decide how to route those. I don't think that
is what you need/want at this point?

> Let's say both F and G have a bunch of subnets behind their gateways.
> In my case they don't, but let's say they do.  Is this where GRE tunnels
> come in?  So I would do IPSEC F-G and G-F tunnels and then then GRE on
> top of that and route all the subnets on both sides through the GRE
> tunnel?

GRE is more used for failover uplinks. In your case, you always have a
predetermined best path (either direct, or through A). If you use the
above 10/8 type tunnel, just adding/removing a /24 tunnel from F to G
will cause it to use that instead of the 'generic' tunnel to A. Which
should be enough for your needs I think.

> There is also a new set of ip xfrm commands and it looks like these
> commands allow me to set some sort of policy about what goes through
> IPSEC tunnels and what doesn't.  But this is different than OE policies
> - this looks like some sort of routing policy?  These might be useful
> with my 10.44.1.nnn routing challenge.   I studied everything I can find
> but have not been able to find any documentation on what ip xfrm is all
> about or how to use it or if it is relevant.  Any documentation
> pointers?

Traditionally, no documentation exists for iproute/iproute2 :(
We only use the ip xfrm commands to look at the state. We don't manipulate
state at all using ip xfrm.

Paul
-- 
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155