[Openswan Users] Remote Office Advice?
Brett Curtis
dashnu at gmail.com
Thu Jun 22 17:23:41 CEST 2006
Hello
On Jun 22, 2006, at 1:20 PM, Torsten Luettgert wrote:
>
> Ooh, can't resist asking what client you're using on Windows
> and what kind of openswan configuration (Certs/Shared Secret,
> what algorithms)?
>
I use the default XP and OSX clients. Unfortunately I use a PSK
still. Looking to change this soon.
I do not have algorithms or ciphers specifically set in ipsec.conf.
So I use SHA and AES. I also use tunnel mode which I am not sure is
the best approach but it works.
> I have working Windows roadwarriors with certificates and Astaro
> Secure Client, but not with certs and the Windows built-in IPsec
> implementation (using ipsec.exe and lsipsectool.exe).
>
>> In addition to this conn, I would like to setup 'subnet
>> passthrough'
>>
>> This is my plan.
>>
>> [192.168.1.0/24]--(switch)---->[Local Office Firewall/Ipsec]---->
>> {INTERNET}<-------[Remote Office Firewall/Ipsec]--(switch)----->
>> [192.168.1.0/24]
>>
>> Is this type of setup possible?
>
> I have one of those running, in a way. Usually, you can't use the
> same network on both ends, since IPsec works on layer 3, i.e.
> it's like routing, not like bridging.
>
> Now I really needed to use the same subnet (we're moving, and
> renumbering was out of the question), and found an ugly, but
> functional setup.
> The new office has a different private network. The private nets
> are connected via OpenS/WAN IPsec. In each private net, I put a
> box which does proxy ARP and forwards stuff for the other side via
> a GRE tunnel.
> So it's possible, but I don't recommend that setup. It has 4
> single points of failure, it's complicated to set up, and the proxy
> ARPers need to "know" exactly which address resides where.
Right. Now that I understand more I will definitely create a
different subnet for the remote office.
> Up to very high data rates, the performance impact of IPSec is
> negligible, especially if you use AES. It also doesn't introduce
> jitter in my experience.
Great.
>
> Regards,
> Torsten
>
More information about the Users
mailing list