[Openswan Users] multiple subnets ?

Wolfgang Kueter wolfgang at shconnect.de
Wed Jun 25 06:18:15 EDT 2008 

On Wed, 25 Jun 2008, Indunil Jayasooriya wrote:

> im my side , I have only one subnet which is the leftsubnet.
> But, in other sides, there are 4 subnets . I added those 4 subnets to
> rightsubnet. pls see my /ect/ipsec.conf file for it.
> 
> here is my ipsec.conf file
> 
> 
> 
> [root at box ~]# cat /etc/ipsec.conf
> # /etc/ipsec.conf - Openswan IPsec configuration file
> #
> # Manual:     ipsec.conf.5
> #
> # Please place your own config files in /etc/ipsec.d/ ending in .conf
> 
> version 2.0     # conforms to second version of ipsec.conf specification
> 
> # basic configuration
> config setup
>         interfaces=%defaultroute
>         # Debug-logging controls:  "none" for (almost) none, "all" for lots.
>         klipsdebug=all
>         plutodebug=all
> 
> conn tunnelipsec
>         type=tunnel
>         left=1.2.3.4
>         leftsubnet=192.168.1.0/24
>         right=5.6.7.8
>         rightsubnet=10.10.49.0/24
>         rightsubnet=192.168.46.0/24
>         rightsubnet=192.168.50.0/24
>         rightsubnet=192.168.55.0/24
>         esp=3des-md5
>         authby=secret
>         keyexchange=ike
>         pfs=no
>         auto=start
> 
> #Disable Opportunistic Encryption
> include /etc/ipsec.d/examples/no_oe.conf
> 
> 
> After restaring the service, I get below error.
> It  says
> 
> duplicated parameter "rightsubnet"

Correct, this doesn't work, instead you have to configure 4 separate 
tunnels to the same gateway. 

Something like this works for me with two 
networks on the other side of the tunnel, should work with 4 as well:

conn tunnelipsec1
	type=tunnel
	left=1.2.3.4
	leftsubnet=192.168.1.0/24
	right=5.6.7.8
	rightsubnet=10.10.49.0/24
	esp=3des-md5
	authby=secret
	keyexchange=ike
	pfs=no
	auto=start

conn tunnelipsec2
        type=tunnel
        left=1.2.3.4
        leftsubnet=192.168.1.0/24
        right=5.6.7.8
        rightsubnet=192.168.46.0/24
        esp=3des-md5
        authby=secret
        keyexchange=ike
        pfs=no
        auto=start
  

conn tunnelipsec3
        type=tunnel
        left=1.2.3.4
        leftsubnet=192.168.1.0/24
        right=5.6.7.8
        rightsubnet=192.168.50.0/24
        esp=3des-md5
        authby=secret
        keyexchange=ike
        pfs=no
        auto=start
  

conn tunnelipsec4
        type=tunnel 
	left=1.2.3.4
	leftsubnet=192.168.1.0/24
	right=5.6.7.8 
	rightsubnet=192.168.55.0/24 
        esp=3des-md5
	authby=secret
	keyexchange=ike
	pfs=no auto=start
  

> Can't OpenSwan have 4 subnets?

It can but you have to configure separate tunnels.

Wolfgang

More information about the Users mailing list