[Openswan Users] Subnets conmunication?

Peter McGill petermcgill at goco.net
Wed Jun 6 09:42:15 EDT 2007


> -----Original Message-----
> From: Peter McGill [mailto:petermcgill at goco.net] 
> Sent: June 6, 2007 9:40 AM
> To: 'it at technovation.com.sv'
> Cc: 'users at openswan.org'
> Subject: RE: [Openswan Users] Subnets conmunication?
> 
> > -----Original Message-----
> > Date: Tue, 5 Jun 2007 15:23:00 -0600
> > From: "IT Dept." <it at technovation.com.sv>
> > Subject: Re: [Openswan Users] Subnets conmunication?
> > To: <users at openswan.org>
> > 
> > 	Can i change my subnets to 192.168.40.x/24 i mean in all
> > branches...we are using DHCP:
> > 
> > Branch A	192.168.50.10-20
> > Branch B	192.168.50.21-30
> > Branco C	192.168.50.31-40
> > 
> > 	An just set my conn to:
> > 	leftsubnet=192.168.50/24
> > 	rightsubnet=192.168.50/24
> > 
> > 	In all linksys..
> > 
> > 	What do u think?
> > 
> > 	Hector
> 
> The subnet's need to be unique, non-overlapping and if you want
> Only one tunnel to/from each site, they need to be binary aligned.
> Otherwise routing/tunneling will not work correctly.
> 
> You could do this:
> leftsubnet=192.168.0.0/16
> rightsubnet=192.168.40.0/24
> 
> leftsubnet=192.168.0.0/16
> rightsubnet=192.168.50.0/24
> 
> leftsubnet=192.168.0.0/16
> rightsubnet=192.168.60.0/24
> 
> Or you could do this:
> leftsubnet=192.168.50.0/24
> rightsubnet=192.168.50.0/28 # 192.168.50.1-14
> 
> leftsubnet=192.168.50.0/24
> rightsubnet=192.168.50.16/28 # 192.168.50.17-30
> 
> leftsubnet=192.168.50.0/24
> rightsubnet=192.168.60.32/28 # 192.168.50.33-46
> 
> But be sure to change the subnet masks at your sites too.
> /28 or 255.255.255.239

Subnet mask should be 255.255.255.240, my bad.

Peter

> Using the overlapping "larger" subnet to route traffic to the
> Central router works because routers choose the most specific route
> First, but you must keep the routes to your linksys sites unique.
> 
> For example traffic going from site C to site A...
> Source: 192.168.60.10 Dest: 192.168.40.20
> C's router compares packet's destination to C router's routes.
> 192.168.60.0/24 (lan, no match)
> 192.168.0.0/16 (ipsec, match, use this one) And the packet is 
> tunneled to openswan.
> 
> Openswan compares packet's destination to openswan's routes.
> 192.168.40.0/24 (ipsec, match, use this one) And the packet 
> is tunneled to site A.
> 192.168.50.0/24 (ipsec, no match)
> 192.168.60.0/24 (ipsec, no match)
> 
> A's router compares packet's destination to A router's routes.
> 192.168.40.0/24 (lan, match, use this one) And the packet is 
> sent to lan A.
> 192.168.0.0/16 (ipsec, match but not as specific as /24 don't 
> use this one)
> 
> Peter



More information about the Users mailing list