[Openswan Users] Re: A more complex set of IPSEC tunnels
petermcgill at goco.net
Fri Jul 28 10:25:48 CEST 2006
I've never used dynamic or failover routing myself, so I can't help you
there, but I can help you with routing everything through your main site.
I use a near full mesh myself, not star, but star is easy to do.
Assuming all your subnets are in the 10.x.x.x range, and you want them
all routed through Site A.
Site A ipsec.conf:
# repeat above pattern for each remote subnet, C, D, etc...
Site B ipsec.conf:
# technically you can use the same definitions as Site A, but
# some would say your confs are easier to read if you allways
# use left for local and right for remote. I use this myself.
# include matching net-server, server-net, and server-server
# create all other site confs.
All Site ipsec.conf's:
left=<sitea pub ip>
left=<siteb pub ip>
# add coresponding conn for each site
# append this to the end of all site confs.
# this way when you change site keys or pub ips,
# then you only need to change once per site.
If you can't route all of 10/8 through Site A or you
have sites outside of 10/8, then you can include
multiple subnets like this:
Site A ipsec.conf:
> I am setting up a modified star config with 8 sites, but with IPSEC
> tunnels instead of traditional frame/T1 circuits. I'll name the sites A
> through H. Site A is in the middle and will have tunnels to all the
> other sites. So there will be tunnels A-B, A-C, A-D, and so on.
> Depending on usage patterns, I will also set up tunnels between other
> sites to make the network a partial mesh. For example - if site B needs
> to communicate frequently to site E, I could set up B-E and E-B tunnels.
> So the network will end up being a partial mesh.
> Site A, the middle site, is split into two subnets - 10.44.1.nnn and
> 10.13.1.nnn. Site B has one subnet, 10.15.1.nnn. I am running a proof
> of concept linking the 10.13.1.nnn LAN at site A with an IPSEC tunnel to
> site B and it performs very well.
> 1 - How to route 10.44.1.nnn thru 10.13.nnn in site A across the IPSEC
> tunnel to site B
> 2 - The best way, in general, to route from any site through site A to
> any other site.
> 3 - The best way to dynamically calculate routes when I set up
> additional IPSEC tunnels, making the network a partial mesh.
Software Developer / Network Administrator
Gra Ham Energy Limited
More information about the Users