[Openswan Users] Subnets conmunication?
Peter McGill
petermcgill at goco.net
Wed Jun 6 09:42:15 EDT 2007
> -----Original Message-----
> From: Peter McGill [mailto:petermcgill at goco.net]
> Sent: June 6, 2007 9:40 AM
> To: 'it at technovation.com.sv'
> Cc: 'users at openswan.org'
> Subject: RE: [Openswan Users] Subnets conmunication?
>
> > -----Original Message-----
> > Date: Tue, 5 Jun 2007 15:23:00 -0600
> > From: "IT Dept." <it at technovation.com.sv>
> > Subject: Re: [Openswan Users] Subnets conmunication?
> > To: <users at openswan.org>
> >
> > Can i change my subnets to 192.168.40.x/24 i mean in all
> > branches...we are using DHCP:
> >
> > Branch A 192.168.50.10-20
> > Branch B 192.168.50.21-30
> > Branco C 192.168.50.31-40
> >
> > An just set my conn to:
> > leftsubnet=192.168.50/24
> > rightsubnet=192.168.50/24
> >
> > In all linksys..
> >
> > What do u think?
> >
> > Hector
>
> The subnet's need to be unique, non-overlapping and if you want
> Only one tunnel to/from each site, they need to be binary aligned.
> Otherwise routing/tunneling will not work correctly.
>
> You could do this:
> leftsubnet=192.168.0.0/16
> rightsubnet=192.168.40.0/24
>
> leftsubnet=192.168.0.0/16
> rightsubnet=192.168.50.0/24
>
> leftsubnet=192.168.0.0/16
> rightsubnet=192.168.60.0/24
>
> Or you could do this:
> leftsubnet=192.168.50.0/24
> rightsubnet=192.168.50.0/28 # 192.168.50.1-14
>
> leftsubnet=192.168.50.0/24
> rightsubnet=192.168.50.16/28 # 192.168.50.17-30
>
> leftsubnet=192.168.50.0/24
> rightsubnet=192.168.60.32/28 # 192.168.50.33-46
>
> But be sure to change the subnet masks at your sites too.
> /28 or 255.255.255.239
Subnet mask should be 255.255.255.240, my bad.
Peter
> Using the overlapping "larger" subnet to route traffic to the
> Central router works because routers choose the most specific route
> First, but you must keep the routes to your linksys sites unique.
>
> For example traffic going from site C to site A...
> Source: 192.168.60.10 Dest: 192.168.40.20
> C's router compares packet's destination to C router's routes.
> 192.168.60.0/24 (lan, no match)
> 192.168.0.0/16 (ipsec, match, use this one) And the packet is
> tunneled to openswan.
>
> Openswan compares packet's destination to openswan's routes.
> 192.168.40.0/24 (ipsec, match, use this one) And the packet
> is tunneled to site A.
> 192.168.50.0/24 (ipsec, no match)
> 192.168.60.0/24 (ipsec, no match)
>
> A's router compares packet's destination to A router's routes.
> 192.168.40.0/24 (lan, match, use this one) And the packet is
> sent to lan A.
> 192.168.0.0/16 (ipsec, match but not as specific as /24 don't
> use this one)
>
> Peter
More information about the Users
mailing list