[Openswan Users] Users Digest, Vol 42, Issue 25

[Peter McGill]

> -----Original Message-----
> Date: Thu, 17 May 2007 05:27:44 +0200
> From: Wolfgang Kueter <wolfgang at shconnect.de>
> Subject: [Openswan Users] Is more than one network behind a remote
> 	gateway	possible?
> To: users at openswan.org
> 
> I'm succesfully running a site to site tunnel. While the LAN 
> on our side
> of the tunnel is pretty small (just a /26 network), the LAN 
> on the other
> side is much bigger (currently a /16 network). The gateway on 
> the other
> side is a Checkpoint FW-1, while we use OpenSwan.
> 
> currently the other side uses 172.22.0.0/16.
> 
> Config looks like this:
> 
> ---8<---
> conn exampleconfig
>         authby=secret
>         esp=3des-sha1-96
>         right=abc.def.ghi.ijk
>         rightsubnet=172.22.0.0/16
>         rightrsasigkey=%none
>         leftnexthop=www.xxx.yyy.zzc
>         left=www.xxx.yyy.zzz
>         leftsubnet=192.168.24.64/24
>         leftrsasigkey=%none
>         leftcert=
>         pfs=no
>         auto=add
>         type=tunnel
>         keylife=
>         ikelifetime=
> ---8<---
> 
> Unfortunately it is now required that some machines on the other side
> need to use the tunnel too, that use IP addresses from the range
> 172.21.0.0/16. 
> 
> I could of course use 172.20.0.0/14 for rightsubnet, which covers
> everyting from 172.20.0.0 to 172.23.255.255 or try to add
> 172.21..0.0/16.
> 
> Is it possible list more than one network for rightsubnet like the
> following example? 
> 
> ---8<---
> conn exampleconfig
>         authby=secret
>         esp=3des-sha1-96
>         right=abc.def.ghi.ijk
>         rightsubnet=172.21.0.0/16 172.22.0.0/16
>         rightrsasigkey=%none
>         leftnexthop=www.xxx.yyy.zzc
>         left=www.xxx.yyy.zzz
>         leftsubnet=192.168.24.64/24
>         leftrsasigkey=%none
>         leftcert=
>         pfs=no
>         auto=add
>         type=tunnel
>         keylife=
>         ikelifetime=
> ---8<---
> 
> If yes, what is correct syntax when listing more than one network, how
> to separate the entries (space, comma ...)?

If using 172.20.0.0/14 seems ok to you I would do that, as it uses less
Tunnels, but you can also use multiple tunnels to a single host.
How you do it is you make a second full conn, the same as the original,
But with a different subnet.

In order to simply the conf and changes to it you can use the also's to
Include shared options, remember the shared conn comes last, ie)

conn example21net
	also=exampleshared
	rightsubnet=172.21.0.0/16
	auto=add

conn example22net
	also=exampleshared
	rightsubnet=172.22.0.0/16
	auto=add

conn exampleshared
	authby=secret
	esp=3des-sha1-96
	right=abc.def.ghi.ijk
	leftnexthop=www.xxx.yyy.zzc
 	left=www.xxx.yyy.zzz
	leftsubnet=192.168.24.64/24
	pfs=no
	type=tunnel

Peter