[Openswan Users] Tunnel headends

Andy Gay andy at andynet.net
Sun Mar 25 20:06:07 EDT 2007


On Sat, 2007-03-24 at 10:54 +0200, Andrei-Florian Staicu wrote:
> Andy Gay wrote:
> >
> > No. That's a common misconception. You need to remember that IPsec
> > tunnels have a policy associated with them, that's what you're
> > configuring in your left/rightsubnet entries. No packets will be allowed
> > into the tunnel unless their source and destination addresses are both
> > inside those networks.
> >
> > It's easy to add additional tunnels though.
> >   
> This is a little bit awkward. I was hoping to get a virtual wire. My 
> tunnel example was simplistic, because behind each server i have at 
> least 4 private subnets. If what you are saying is true, for 2 locations 
> with 4 subnets each, i need 16 tunnels. And i have 12 locations.

That's worst case, but if you've chosen your subnet addresses wisely you
shouldn't have a problem.

For example, if a location has 4 subnets 192.168.16.0/24,
192.168.17.0/24, 192.168.18.0/24 and 192.168.19.0/24, you can make one
policy that includes them all, by making leftsubnet=192.168.16.0/22.

If it also has a 5th subnet 192.168.20.0/24 you could include that in
your policy by using 192.168.16.0/21, but that may cause conflicts in
which case you'd probably use a second tunnel.

Anyway, even in the worst case you can just configure as many tunnels as
you need. Don't worry about using lots of tunnels - Openswan can handle
thousands at once (I know, I run servers with >1000 active tunnels).

The 'old' Freeswan docs that are still out there had a good discussion
of this topic - see
http://www.freeswan.org/freeswan_trees/freeswan-2.05/doc/adv_config.html#adv_config


> 
> Thanks for all your help, it seems i'm back to the drawing board.

Don't give up yet! :)


> 
> -- 
> Andrei-Florian STAICU
> Network administrator
> Tel: (+40) 741.227.014
> IPSO S.A.
> 
> 
> 



More information about the Users mailing list