[Openswan Users] A more complex set of IPSEC tunnels
Paul Wouters
paul at xelerance.com
Fri Jul 28 15:22:38 CEST 2006
On Fri, 28 Jul 2006, Greg Scott wrote:
> I am setting up a modified star config with 8 sites, but with IPSEC
> tunnels instead of traditional frame/T1 circuits. I'll name the sites A
> So the network will end up being a partial mesh.
> 1 - How to route 10.44.1.nnn thru 10.13.nnn in site A across the IPSEC
> tunnel to site B
You will need additional tunnels for all range you want to "route", unless
you setup a tunnel from the leave nodes to the central node covering it all,
eg a 10.a.b.c/24 to 10/8 tunnel on the nodes.
> 2 - The best way, in general, to route from any site through site A to
> any other site.
> 3 - The best way to dynamically calculate routes when I set up
> additional IPSEC tunnels, making the network a partial mesh.
Dont do any routing. If the ipsec tunnels are brought up, they will be used.
> For (3), I am guessing I want to set up a routing protocol such as OSPF
> using quagga? Or would static routes with appropriate metrics be OK?
That setup is mostly used when doing failover over two uplinks.
> I've been reading about setting up GRE tunnels over IPSEC and trying to
> understand how this makes life better and I don't get it. Page 260 of
> Paul Wouters' Openswan book discusses setting up GRE tunnels to reduce
> the number of IPSEC tunnels. So in my case - let's say I want to
> "directly" connect sites D and E without routing through A. (I know it
> isn't really direct because it's a tunnel.) Would I set up D-E and E-D
> GRE tunnels? But that doesn't make sense because I wouldn't have
> encryption for D-E traffic. I would want IPSEC tunnels between D and E.
> How do GRE tunnels fit in? How do GRE tunnels reduce the number of
> IPSEC tunnels?
If you want to use GRE, you would still have to setup a full mesh of
tunnels, and then have OSPF decide how to route those. I don't think that
is what you need/want at this point?
> Let's say both F and G have a bunch of subnets behind their gateways.
> In my case they don't, but let's say they do. Is this where GRE tunnels
> come in? So I would do IPSEC F-G and G-F tunnels and then then GRE on
> top of that and route all the subnets on both sides through the GRE
> tunnel?
GRE is more used for failover uplinks. In your case, you always have a
predetermined best path (either direct, or through A). If you use the
above 10/8 type tunnel, just adding/removing a /24 tunnel from F to G
will cause it to use that instead of the 'generic' tunnel to A. Which
should be enough for your needs I think.
> There is also a new set of ip xfrm commands and it looks like these
> commands allow me to set some sort of policy about what goes through
> IPSEC tunnels and what doesn't. But this is different than OE policies
> - this looks like some sort of routing policy? These might be useful
> with my 10.44.1.nnn routing challenge. I studied everything I can find
> but have not been able to find any documentation on what ip xfrm is all
> about or how to use it or if it is relevant. Any documentation
> pointers?
Traditionally, no documentation exists for iproute/iproute2 :(
We only use the ip xfrm commands to look at the state. We don't manipulate
state at all using ip xfrm.
Paul
--
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
More information about the Users
mailing list