[Openswan Users] Re: A more complex set of IPSEC tunnels

Fri Jul 28 10:25:48 CEST 2006

I've never used dynamic or failover routing myself, so I can't help you
there, but I can help you with routing everything through your main site.
I use a near full mesh myself, not star, but star is easy to do.

Assuming all your subnets are in the 10.x.x.x range, and you want them
all routed through Site A.

Site A ipsec.conf:
conn siteb-net-to-sitea-net
    also=sitea
    leftsubnet=10.0.0.0/8
    alsoflip-siteb
    rightsubnet=10.15.1.0/24
    auto=start

conn siteb-net-to-sitea-server
    also=sitea
    alsoflip=siteb
    rightsubnet=10.15.1.0/24
    auto=start

conn siteb-server-to-sitea-net
    also=sitea
    leftsubnet=10.0.0.0/8
    alsoflip=siteb
    auto=start

conn siteb-server-to-sitea-server
    also=sitea
    alsoflip=siteb
    auto=start

# repeat above pattern for each remote subnet, C, D, etc...

Site B ipsec.conf:
conn siteb-net-to-sitea-net
    also=siteb
    leftsubnet=10.15.1.0/24
    alsoflip-sitea
    rightsubnet=10.0.0.0/8
    auto=start

# technically you can use the same definitions as Site A, but
# some would say your confs are easier to read if you allways
# use left for local and right for remote. I use this myself.

# include matching net-server, server-net, and server-server

# create all other site confs.

All Site ipsec.conf's:

conn sitea
    left=<sitea pub ip>
    leftnexthop=%defaultroute
    leftid=@sitea
    leftrsasigkey=<sitea key>

conn siteb
    left=<siteb pub ip>
    leftnexthop=%defaultroute
    leftid=@siteb
    leftrsasigkey=<siteb key>

# add coresponding conn for each site

# append this to the end of all site confs.

# this way when you change site keys or pub ips,
# then you only need to change once per site.

If you can't route all of 10/8 through Site A or you
have sites outside of 10/8, then you can include
multiple subnets like this:

Site A ipsec.conf:
conn siteb-net-to-sitea13-net
    also=sitea
    leftsubnet=10.13.1.0/24
    alsoflip-siteb
    rightsubnet=10.15.1.0/24
    auto=start

conn siteb-net-to-sitea44-net
    also=sitea
    leftsubnet=10.44.1.0/24
    alsoflip-siteb
    rightsubnet=10.15.1.0/24
    auto=start

conn siteb-net-to-siteac-net
    also=sitea
    leftsubnet=<sitec subnet>
    alsoflip-siteb
    rightsubnet=10.15.1.0/24
    auto=start

# etc...

Peter

> I am setting up a modified star config with 8 sites, but with IPSEC
> tunnels instead of traditional frame/T1 circuits.  I'll name the sites A
> through H.  Site A is in the middle and will have tunnels to all the
> other sites.  So there will be tunnels A-B, A-C, A-D, and so on.
> Depending on usage patterns, I will also set up tunnels between other
> sites to make the network a partial mesh.  For example - if site B needs
> to communicate frequently to site E, I could set up B-E and E-B tunnels.
> So the network will end up being a partial mesh.

> Site A, the middle site, is split into two subnets - 10.44.1.nnn and
> 10.13.1.nnn.  Site B has one subnet, 10.15.1.nnn.  I am running a proof
> of concept linking the 10.13.1.nnn LAN at site A with an IPSEC tunnel to
> site B and it performs very well.  

> 1 - How to route 10.44.1.nnn thru 10.13.nnn in site A across the IPSEC
> tunnel to site B
> 2 - The best way,  in general, to route from any site through site A to
> any other site.
> 3 - The best way to dynamically calculate routes when I set up
> additional IPSEC tunnels, making the network a partial mesh.  

Peter McGill
Software Developer / Network Administrator
Gra Ham Energy Limited