[Openswan Users] star topology vpn

Peter McGill petermcgill at goco.net
Thu Jan 31 15:05:22 EST 2008 

I have done some of this in the past, it's not too difficult.
Ideally all of your sites have static ips connected in a mesh, this is typically the best
for cost and speed, but sometimes your stuck with dynamic ips, which require star.
I have a mix in my wan.
 
This is the general principal, modify to suit your needs, adding addition connection details...
Essentially you do two things...
1) Make your dynamic hosts start the tunnels with auto=start, and central host just auto=add.
2) Tell your dynamic hosts that the central subnet is a larger all encompassing subnet.
    This works because the routing system will route to more specific routes when possible.
 
site1 ipsec.conf:
conn site1
    left=<site1 public ip>
    leftsourceip=<site1 lan ip, 10.0.1.y>
    leftsubnet=10.0.1.0/24
    right=<central public ip>
    rightsourceip=<central lan ip>
    rightsubnet=10.0.0.0/16
    auto=start
 
site2 ipsec.conf:
conn site2
    left=<site2 public ip>
    leftsourceip=<site2 lan ip, 10.0.2.y>
    leftsubnet=10.0.2.0/24
    right=<central public ip>
    rightsourceip=<central lan ip>
    rightsubnet=10.0.0.0/16
    auto=start
 
site3 ipsec.conf:
conn site3
    left=<site3 public ip>
    leftsourceip=<site3 lan ip, 10.0.3.y>
    leftsubnet=10.0.3.0/24
    right=<central public ip>
    rightsourceip=<central lan ip>
    rightsubnet=10.0.0.0/16
    auto=start
 
central ipsec.conf:
conn site1
    left=<central public ip>
    leftsourceip=<central lan ip>
    leftsubnet=10.0.0.0/16
    right=<site1 public ip>
    rightsourceip=<site1 lan ip, 10.0.1.y>
    rightsubnet=10.0.1.0/24
    auto=add
 
conn site2
    left=<central public ip>
    leftsourceip=<central lan ip>
    leftsubnet=10.0.0.0/16
    right=<site2 public ip>
    rightsourceip=<site2 lan ip, 10.0.2.y>
    rightsubnet=10.0.2.0/24
    auto=add
 
conn site3
    left=<central public ip>
    leftsourceip=<central lan ip>
    leftsubnet=10.0.0.0/16
    right=<site3 public ip>
    rightsourceip=<site3 lan ip, 10.0.3.y>
    rightsubnet=10.0.3.0/24
    auto=add
 
The alternative to using an all encompassing subnet, is to make additional conns, for example...
 
site1 ipsec.conf:
conn site1-site2
    left=<site1 public ip>
    leftsourceip=<site1 lan ip, 10.0.1.y>
    leftsubnet=10.0.1.0/24
    right=<central public ip>
    rightsubnet=10.0.2.0/24
    auto=start
 
conn site1-site3
    left=<site1 public ip>
    leftsourceip=<site1 lan ip, 10.0.1.y>
    leftsubnet=10.0.1.0/24
    right=<central public ip>
    rightsubnet=10.0.3.0/24
    auto=start
 
site2 ipsec.conf:
conn site2-site1
    left=<site2 public ip>
    leftsourceip=<site2 lan ip, 10.0.2.y>
    leftsubnet=10.0.2.0/24
    right=<central public ip>
    rightsubnet=10.0.1.0/24
    auto=start
 
conn site2-site3
    left=<site2 public ip>
    leftsourceip=<site2 lan ip, 10.0.2.y>
    leftsubnet=10.0.2.0/24
    right=<central public ip>
    rightsubnet=10.0.3.0/24
    auto=start
 
site3 ipsec.conf:
conn site3-site1
    left=<site3 public ip>
    leftsourceip=<site3 lan ip, 10.0.3.y>
    leftsubnet=10.0.3.0/24
    right=<central public ip>
    rightsubnet=10.0.1.0/24
    auto=start
 
conn site3-site2
    left=<site3 public ip>
    leftsourceip=<site3 lan ip, 10.0.3.y>
    leftsubnet=10.0.3.0/24
    right=<central public ip>
    rightsubnet=10.0.2.0/24
    auto=start
 
central ipsec.conf:
conn site1-site2
    left=<central public ip>
    leftsubnet=10.0.2.0/24
    right=<site1 public ip>
    rightsubnet=10.0.1.0/24
    auto=add
 
conn site1-site3
    left=<central public ip>
    leftsubnet=10.0.3.0/24
    right=<site1 public ip>
    rightsubnet=10.0.1.0/24
    auto=add
 
conn site2-site1
    left=<central public ip>
    leftsubnet=10.0.1.0/24
    right=<site2 public ip>
    rightsubnet=10.0.2.0/24
    auto=add
 
conn site2-site3
    left=<central public ip>
    leftsubnet=10.0.3.0/24
    right=<site2 public ip>
    rightsubnet=10.0.2.0/24
    auto=add
 
conn site3-site1
    left=<central public ip>
    leftsubnet=10.0.1.0/24
    right=<site3 public ip>
    rightsubnet=10.0.3.0/24
    auto=add
 
conn site3-site2
    left=<central public ip>
    leftsubnet=10.0.2.0/24
    right=<site3 public ip>
    rightsubnet=10.0.3.0/24
    auto=add
 
As you can see the first is much cleaner and simpler if your network can handle it.
 
Peter McGill
 



  _____  

From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On Behalf Of Raimar Grosse
Sent: January 31, 2008 9:10 AM
To: users at openswan.org
Subject: [Openswan Users] star topology vpn


Hi,

I´d like to build a VPN with a star topology and openswan.
There should be one server with a static IP wich manages the VPN connection. Serveral routers should start the VPN connection with
this server when connecting to the internet. Some of the IPs of the routers will be static but some will be dynamical. Behind the
router there are local networks with IP ranges 10.0.x.y, for example we have the three networks 10.0.1.y, 10.0.2.y and 10.0.3.y,
their gateway builds a connection with the VPN server.

What I want is the possibility to get connections from a computer of network 10.0.1.y to one of network 10.0.3.y for example. Is
this possible with openswan when some of the external router IPs can be dynamic.

Does anybody has build such a network ? Would be nice if you have some suggestions

Raimar




  _____  

Beginnen Sie den Tag mit den neuesten Nachrichten. Machen Sie Yahoo! zu Ihrer
<http://de.rd.yahoo.com/evt=41213/*http://de.yahoo.com/set> Startseite!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20080131/4393c287/attachment-0001.html

More information about the Users mailing list