[Openswan Users] Remote Office Advice?

Torsten Luettgert t.luettgert at pressestimmen.de
Thu Jun 22 20:20:19 CEST 2006


On Wed, 2006-06-21 at 14:59 -0400, Brett Curtis wrote:
> I already have openswan running in my current network for OSX & WinXP  
> roadwarriors.

Ooh, can't resist asking what client you're using on Windows
and what kind of openswan configuration (Certs/Shared Secret,
what algorithms)?

I have working Windows roadwarriors with certificates and Astaro
Secure Client, but not with certs and the Windows built-in IPsec
implementation (using ipsec.exe and lsipsectool.exe).

> In addition to this conn, I would like to setup 'subnet  
> passthrough'
> 
> This is my plan.
> 
> [192.168.1.0/24]--(switch)---->[Local Office Firewall/Ipsec]----> 
> {INTERNET}<-------[Remote Office Firewall/Ipsec]--(switch)-----> 
> [192.168.1.0/24]
> 
> Is this type of setup possible?

I have one of those running, in a way. Usually, you can't use the
same network on both ends, since IPsec works on layer 3, i.e.
it's like routing, not like bridging.

Now I really needed to use the same subnet (we're moving, and
renumbering was out of the question), and found an ugly, but
functional setup.
The new office has a different private network. The private nets
are connected via OpenS/WAN IPsec. In each private net, I put a
box which does proxy ARP and forwards stuff for the other side via
a GRE tunnel.
So it's possible, but I don't recommend that setup. It has 4
single points of failure, it's complicated to set up, and the proxy
ARPers need to "know" exactly which address resides where.

> Do you recommend me to use a different setup (if this one is even  
> possible)?

Yep, use different networks.

> What could I expect for VoIP(h323) Traffic over an ipsec  
> connection? Any experience with VoIP and ipsec (good results / bad  
> resutls)?

Up to very high data rates, the performance impact of IPSec is
negligible, especially if you use AES. It also doesn't introduce
jitter in my experience.

Regards,
Torsten



More information about the Users mailing list