[Openswan Users] Remote Office Advice?

[Torsten Luettgert]

On Wed, 2006-06-21 at 14:59 -0400, Brett Curtis wrote:
> I already have openswan running in my current network for OSX & WinXP  
> roadwarriors.

Ooh, can't resist asking what client you're using on Windows
and what kind of openswan configuration (Certs/Shared Secret,
what algorithms)?

I have working Windows roadwarriors with certificates and Astaro
Secure Client, but not with certs and the Windows built-in IPsec
implementation (using ipsec.exe and lsipsectool.exe).

> In addition to this conn, I would like to setup 'subnet  
> passthrough'
> 
> This is my plan.
> 
> [192.168.1.0/24]--(switch)---->[Local Office Firewall/Ipsec]----> 
> {INTERNET}<-------[Remote Office Firewall/Ipsec]--(switch)-----> 
> [192.168.1.0/24]
> 
> Is this type of setup possible?

I have one of those running, in a way. Usually, you can't use the
same network on both ends, since IPsec works on layer 3, i.e.
it's like routing, not like bridging.

Now I really needed to use the same subnet (we're moving, and
renumbering was out of the question), and found an ugly, but
functional setup.
The new office has a different private network. The private nets
are connected via OpenS/WAN IPsec. In each private net, I put a
box which does proxy ARP and forwards stuff for the other side via
a GRE tunnel.
So it's possible, but I don't recommend that setup. It has 4
single points of failure, it's complicated to set up, and the proxy
ARPers need to "know" exactly which address resides where.

> Do you recommend me to use a different setup (if this one is even  
> possible)?

Yep, use different networks.

> What could I expect for VoIP(h323) Traffic over an ipsec  
> connection? Any experience with VoIP and ipsec (good results / bad  
> resutls)?

Up to very high data rates, the performance impact of IPSec is
negligible, especially if you use AES. It also doesn't introduce
jitter in my experience.

Regards,
Torsten