[Openswan Users] Tunnel in tunnel question

Mon Jun 4 09:17:36 EDT 2007

> -----Original Message-----
> Date: Sun, 3 Jun 2007 09:58:32 +0100
> From: "Administrator" <admin at different-perspectives.com>
> Subject: Re: [Openswan Users] Tunnel in tunnel question
> To: <cam73 at aanet.com.au>
> Cc: users at openswan.org
> 
> IPCop just creates an IPSec conf file and uses that through 
> openswan.  I
> don't think it does anything "fancy".
> 
> Do you know if there's a problem with using the same 
> certificates (i.e.
> certs for the gateway rather than the subnet) at both ends of 
> two tunnels?
> IPCop blocks this, and I don't know why.
> 
> David
> 
> > Just create extra tunnels.
> > The only unknown is whether stuff built into IPCop will make 
> > this more difficult.
> > 
> > Cameron.
> > 
> > Administrator wrote:
> > > Hi,
> > >  
> > > I'm running IPCop firewall and have an openswap VPN between 
> > two sites.  
> > > The sites have multiple subnets behind the firewalls 
> (intranet, dmz 
> > > etc.), and the VPN connects the two intranets.  I'd like 
> to provide 
> > > access across the openswan vpn to the dmzs from the other 
> > site.  What 
> > > is the best way to do this?
> > >  
> > > IPCop's VPNs have a policy of dropping anything which is 
> > for the "wrong" 
> > > subnet.
> > >  
> > > I've tried adding eroutes / routes through the VPN tunnel, which 
> > > didn't work.  I've read the documentation, and can't see anything 
> > > which would help me.
> > >  
> > > Is it possible to simply create a tunnel (encrypted or 
> > non-encrypted) 
> > > within the vpn tunnel to carry the other traffic, or should 
> > I create 
> > > another tunnel (preferably using the same certificates) to 
> > carry this 
> > > other traffic?

Adding subnet's is easy, usually you use the same certificates.

Say for example your conf looks like this.

conn net-to-net
       left=66.x.x.x
       leftnexthop=%defaultroute
       leftrsasigkey=%cert
       leftcert=/etc/ipsec.d/certs/server.crt
       leftsubnet=10.0.0.0/24
       right=209.x.x.x
       rightnexthop=%defaultroute
       rightrsasigkey=%cert
       rightcert=/etc/ipsec.d/certs/remote.crt
       rightsubnet=10.0.2.0/24
       authby=rsasig
       auto=start

Change it like this.

conn net0-to-net2
       also=net-to-net-shared
       leftsubnet=10.0.0.0/24
       rightsubnet=10.0.2.0/24
       auto=start

conn net1-to-net3
       also=net-to-net-shared
       leftsubnet=10.0.1.0/24
       rightsubnet=10.0.3.0/24
       auto=start

conn net0-to-net3
       also=net-to-net-shared
       leftsubnet=10.0.0.0/24
       rightsubnet=10.0.3.0/24
       auto=start

conn net1-to-net2
       also=net-to-net-shared
       leftsubnet=10.0.1.0/24
       rightsubnet=10.0.2.0/24
       auto=start

conn net-to-net-shared
       left=66.x.x.x
       leftnexthop=%defaultroute
       leftrsasigkey=%cert
       leftcert=/etc/ipsec.d/certs/server.crt
       right=209.x.x.x
       rightnexthop=%defaultroute
       rightrsasigkey=%cert
       rightcert=/etc/ipsec.d/certs/remote.crt
       authby=rsasig

You don't need to use a shared conn, but I think putting shared
settings in one place makes things easier to change, read, etc...
Note, the shared conn must come after the conn's that include it.

Peter