[Openswan Users] Solved - HOWTO configure multi-site VPNs

John Mok jmok at attglobal.net
Fri Mar 21 10:55:09 EDT 2008 

I tried the following and it works now :-

  H1 ipsec.conf:
  conn s1-s2
        left=h1
        leftsubnet=s1
        leftcert=cert_h1.pem
        right=h2
        rightsubnet=s2
        rightcert=cert_h2.pem

  conn s1-s2-s3
        left=h1
        leftsubnet=s1
        leftcert=cert_h1.pem
        right=h2
        rightsubnet=s3
        rightcert=cert_h2.pem

  H2 ipsec.conf
  # conn's from both h1 above and h3 below, i.e. s1-s2, s1-s2-s3, s3-s2 
and s3-s2-s1, total 4 connections

  H3 ipsec.conf
  conn s3-s2
        left=h3
        leftsubnet=s3
        leftcert=cert_h3.pem
        right=h2
        rightsubnet=s2
        rightcert=cert_h2.pem

  conn s3-s2-s1
       left=h3
       leftsubnet=s3
       leftcert=cert_h3.pem
       right=h2
       rightsubnet=s1
       rightcert=cert_h2.pem

Thank you,  John Mok


John Mok wrote:
> Hi Peter,
> 
> Thank you very much for your reply.
> 
> I am using x.509 certificates for encryption, and I tried the following 
> but have no luck :-
> 
> H1 ipsec.conf:
> conn s1-s2
>     left=h1
>      leftsubnet=s1
>     leftcert=cert_h1.pem
>      right=h2
>      rightsubnet=s2
>     rightcert=cert_h2.pem
> 
> conn s1-s3
>      left=h1
>      leftsubnet=s1
>     leftcert=cert_h1.pem
>      right=h2
>      rightsubnet=s3
>     rightcert=cert_h3.pem
> 
> H2 ipsec.conf
> # conn's from both h1 above and h3 below, i.e. s1-s2, s1-s3, s3-s2 and 
> s3-s1, total 4 connections
> 
> H3 ipsec.conf
> conn s3-s2
>      left=h3
>      leftsubnet=s3
>     leftcert=cert_h3.pem
>      right=h2
>      rightsubnet=s2
>     rightcert=cert_h2.pem
> 
> conn s3-s1
>      left=h3
>      leftsubnet=s3
>     leftcert=cert_h3.pem
>      right=h2
>      rightsubnet=s1
>     rightcert=cert_h1.pem
> 
> On h3, ipsec eroute showed the connection s3-s1 was in "trap" status. On 
> h2, both s1-s3 and s3-s1 connections were in "trap" status. Please help 
> to advise what went wrong.
> 
> Thanks a lot.
> 
> John Mok
> 
> 
> 
> Peter McGill wrote:
>> Once more you cannot route traffic into ipsec tunnels.
>> You must setup subnet conn's for them.
>> Ie)
>>
>> H1 ipsec.conf:
>> conn s1-s2
>>     left=h1
>>     leftsubnet=s1
>>     right=h2
>>     rightsubnet=s2
>>
>> conn s1-s3
>>     left=h1
>>     leftsubnet=s1
>>     right=h2
>>     rightsubnet=s3
>>
>> H2 ipsec.conf
>> # conn's from both h1 above and h3 below
>>
>> H3 ipsec.conf
>> conn s3-s2
>>     left=h3
>>     leftsubnet=s3
>>     right=h2
>>     rightsubnet=s2
>>
>> conn s3-s1
>>     left=h3
>>     leftsubnet=s3
>>     right=h2
>>     rightsubnet=s1
>>     
>>
>> Peter McGill
>>  
>>
>

More information about the Users mailing list