[Openswan Users] Tunnel in tunnel question

Administrator admin at different-perspectives.com
Mon Jun 4 15:25:29 EDT 2007 

> > IPCop just creates an IPSec conf file and uses that through 
> openswan.  
> > I don't think it does anything "fancy".
> > 
> > Do you know if there's a problem with using the same certificates 
> > (i.e.
> > certs for the gateway rather than the subnet) at both ends of two 
> > tunnels?
> > IPCop blocks this, and I don't know why.
> > 
> > David
> > 
> > > Just create extra tunnels.
> > > The only unknown is whether stuff built into IPCop will make this 
> > > more difficult.
> > > 
> > > Cameron.
> > > 
> > > Administrator wrote:
> > > > Hi,
> > > >  
> > > > I'm running IPCop firewall and have an openswap VPN between
> > > two sites.  
> > > > The sites have multiple subnets behind the firewalls
> > (intranet, dmz
> > > > etc.), and the VPN connects the two intranets.  I'd like
> > to provide
> > > > access across the openswan vpn to the dmzs from the other
> > > site.  What
> > > > is the best way to do this?
> > > >  
> > > > IPCop's VPNs have a policy of dropping anything which is
> > > for the "wrong" 
> > > > subnet.
> > > >  
> > > > I've tried adding eroutes / routes through the VPN 
> tunnel, which 
> > > > didn't work.  I've read the documentation, and can't 
> see anything 
> > > > which would help me.
> > > >  
> > > > Is it possible to simply create a tunnel (encrypted or
> > > non-encrypted)
> > > > within the vpn tunnel to carry the other traffic, or should
> > > I create
> > > > another tunnel (preferably using the same certificates) to
> > > carry this
> > > > other traffic?
> 
> Adding subnet's is easy, usually you use the same certificates.
> 
> Say for example your conf looks like this.
> 
> conn net-to-net
>        left=66.x.x.x
>        leftnexthop=%defaultroute
>        leftrsasigkey=%cert
>        leftcert=/etc/ipsec.d/certs/server.crt
>        leftsubnet=10.0.0.0/24
>        right=209.x.x.x
>        rightnexthop=%defaultroute
>        rightrsasigkey=%cert
>        rightcert=/etc/ipsec.d/certs/remote.crt
>        rightsubnet=10.0.2.0/24
>        authby=rsasig
>        auto=start
> 
> Change it like this.
> 
> conn net0-to-net2
>        also=net-to-net-shared
>        leftsubnet=10.0.0.0/24
>        rightsubnet=10.0.2.0/24
>        auto=start
> 
> conn net1-to-net3
>        also=net-to-net-shared
>        leftsubnet=10.0.1.0/24
>        rightsubnet=10.0.3.0/24
>        auto=start
> 
> conn net0-to-net3
>        also=net-to-net-shared
>        leftsubnet=10.0.0.0/24
>        rightsubnet=10.0.3.0/24
>        auto=start
> 
> conn net1-to-net2
>        also=net-to-net-shared
>        leftsubnet=10.0.1.0/24
>        rightsubnet=10.0.2.0/24
>        auto=start
> 
> conn net-to-net-shared
>        left=66.x.x.x
>        leftnexthop=%defaultroute
>        leftrsasigkey=%cert
>        leftcert=/etc/ipsec.d/certs/server.crt
>        right=209.x.x.x
>        rightnexthop=%defaultroute
>        rightrsasigkey=%cert
>        rightcert=/etc/ipsec.d/certs/remote.crt
>        authby=rsasig
> 
> You don't need to use a shared conn, but I think putting shared
> settings in one place makes things easier to change, read, etc...
> Note, the shared conn must come after the conn's that include it.

Thanks.  Worked a dream with manual config.  Now I just need to work out how
to automate it so it doesn't get lost on reboot / web gui edit etc.

David

More information about the Users mailing list