[Openswan Users] Problems when using subnet 0.0.0.0/0

Милен Панков mpankov at vereo.bg
Fri Jun 29 01:41:50 EDT 2007 

Hi, list.

I have setup and used an openswan configuration for a long time without
problems until I had to change it  a little in order to achieve what is
described here:
http://wiki.openswan.org/index.php/Openswan/TheInternetAsABigSubnet and
run into some problems.
Here is what my situation is. I have a main office, call it office 1,
where I have a gateway and a private netwotk 192.168.168.0/24. This
office is connecting to another office, call it office 2, where there is
a subnet 192.168.32.0/24 through a GRE tunnel. On office 1 there is also
openvpn running and openvpn clients appear as subnet 10.1.10.0/24. I
have another remote office, office 3, where the subnet is 192.168.7.0/24
and between office 1 and office 3 there is an openswan running with such
a configuration that each office PC's and openvpn PC's can reach each other.
The configuration in office 1 looks like this:

In office 1
-------
config setup

conn 1-subnet
       leftsubnet=192.168.168.0/24
       also=main-conn

conn 2-subnet
       leftsubnet=192.168.32.0/24
       also=main-conn

conn openvpn-subnet
       leftsubnet=10.1.10.0/24
       also=main-conn

conn main-conn
       ike=aes256
       authby=secret
       left=office_1_ip
       right=office_3_ip
       rightsubnet=192.168.7.0/24
       auto=start
--------

In office 3
--------
config setup

conn 1-subnet
       rightsubnet=192.168.168.0/24
       also=main-conn

conn 2-subnet
       rightsubnet=192.168.32.0/24
       also=main-conn

conn openvpn-subnet
       rightsubnet=10.1.10.0/24
       also=main-conn

conn main-conn
       ike=aes256
       authby=secret
       right=office_1_ip
       left=office_3_ip
       leftsubnet=192.168.7.0/24
       auto=add
---------

This is where everything works fine and everyone can reach everyone. But
as office 3 has no connection to internet (for many reasons they are
using a line that only provides them connectivity to office 1) they were
accesing internet through a proxy server in office 1. This however
became to be a problem with some applications which required direct
access and didn't work with proxy and also there was a need to redirect
some external ports on my public ips to servers in office 3. So I had to
setup SNAT  and DNAT on the office 1 gateway to office 3 PCs. In order
this to work through the tunnel I had to use a subnet like 0.0.0.0/0. So
I ended with the following configuration:

In office 1
-------
config setup

conn main-conn
       ike=aes256
       authby=secret
       leftsubnet=0.0.0.0/0
       left=office_1_ip
       right=office_3_ip
       rightsubnet=192.168.7.0/24
       auto=start
--------

In office 3
--------
config setup

conn main-conn
       ike=aes256
       authby=secret
       rightsubnet=0.0.0.0/0
       right=office_1_ip
       left=office_3_ip
       leftsubnet=192.168.7.0/24
       auto=add
---------

This somekind worked. SNAT and DNAT is working and the connectivity
between the offices is working, but it is very slow and gives a lot of
timeouts. For example if someone in office 1 tries to set a Remote
Desktop Connection to a PC in office 3 it takes about 5-10 minutes just
to log in or ends with a connection timeot. Everything works fine if I
revert to the old configuration.
So I'm missing something, but I can't figure out what and the Wiki isn't
saying anything in details. Any help is appriciated.

My OpenSWan is version 2.4.7

More information about the Users mailing list