[Openswan Users] Solved - HOWTO configure multi-site VPNs

Peter McGill petermcgill at goco.net
Mon Mar 24 10:07:56 EDT 2008 

Yes that is how it's supposed to work.
You add a second conn to your central site, identical
to the first except with the different remote subnet.

Peter McGill
 

> -----Original Message-----
> From: users-bounces at openswan.org 
> [mailto:users-bounces at openswan.org] On Behalf Of John Mok
> Sent: March 21, 2008 10:55 AM
> To: users at openswan.org
> Subject: Re: [Openswan Users] Solved - HOWTO configure multi-site VPNs
> 
> 
> I tried the following and it works now :-
> 
>   H1 ipsec.conf:
>   conn s1-s2
>         left=h1
>         leftsubnet=s1
>         leftcert=cert_h1.pem
>         right=h2
>         rightsubnet=s2
>         rightcert=cert_h2.pem
> 
>   conn s1-s2-s3
>         left=h1
>         leftsubnet=s1
>         leftcert=cert_h1.pem
>         right=h2
>         rightsubnet=s3
>         rightcert=cert_h2.pem
> 
>   H2 ipsec.conf
>   # conn's from both h1 above and h3 below, i.e. s1-s2, 
> s1-s2-s3, s3-s2 
> and s3-s2-s1, total 4 connections
> 
>   H3 ipsec.conf
>   conn s3-s2
>         left=h3
>         leftsubnet=s3
>         leftcert=cert_h3.pem
>         right=h2
>         rightsubnet=s2
>         rightcert=cert_h2.pem
> 
>   conn s3-s2-s1
>        left=h3
>        leftsubnet=s3
>        leftcert=cert_h3.pem
>        right=h2
>        rightsubnet=s1
>        rightcert=cert_h2.pem
> 
> Thank you,  John Mok
> 
> 
> John Mok wrote:
> > Hi Peter,
> > 
> > Thank you very much for your reply.
> > 
> > I am using x.509 certificates for encryption, and I tried 
> the following 
> > but have no luck :-
> > 
> > H1 ipsec.conf:
> > conn s1-s2
> >     left=h1
> >      leftsubnet=s1
> >     leftcert=cert_h1.pem
> >      right=h2
> >      rightsubnet=s2
> >     rightcert=cert_h2.pem
> > 
> > conn s1-s3
> >      left=h1
> >      leftsubnet=s1
> >     leftcert=cert_h1.pem
> >      right=h2
> >      rightsubnet=s3
> >     rightcert=cert_h3.pem
> > 
> > H2 ipsec.conf
> > # conn's from both h1 above and h3 below, i.e. s1-s2, 
> s1-s3, s3-s2 and 
> > s3-s1, total 4 connections
> > 
> > H3 ipsec.conf
> > conn s3-s2
> >      left=h3
> >      leftsubnet=s3
> >     leftcert=cert_h3.pem
> >      right=h2
> >      rightsubnet=s2
> >     rightcert=cert_h2.pem
> > 
> > conn s3-s1
> >      left=h3
> >      leftsubnet=s3
> >     leftcert=cert_h3.pem
> >      right=h2
> >      rightsubnet=s1
> >     rightcert=cert_h1.pem
> > 
> > On h3, ipsec eroute showed the connection s3-s1 was in 
> "trap" status. On 
> > h2, both s1-s3 and s3-s1 connections were in "trap" status. 
> Please help 
> > to advise what went wrong.
> > 
> > Thanks a lot.
> > 
> > John Mok
> > 
> > 
> > 
> > Peter McGill wrote:
> >> Once more you cannot route traffic into ipsec tunnels.
> >> You must setup subnet conn's for them.
> >> Ie)
> >>
> >> H1 ipsec.conf:
> >> conn s1-s2
> >>     left=h1
> >>     leftsubnet=s1
> >>     right=h2
> >>     rightsubnet=s2
> >>
> >> conn s1-s3
> >>     left=h1
> >>     leftsubnet=s1
> >>     right=h2
> >>     rightsubnet=s3
> >>
> >> H2 ipsec.conf
> >> # conn's from both h1 above and h3 below
> >>
> >> H3 ipsec.conf
> >> conn s3-s2
> >>     left=h3
> >>     leftsubnet=s3
> >>     right=h2
> >>     rightsubnet=s2
> >>
> >> conn s3-s1
> >>     left=h3
> >>     leftsubnet=s3
> >>     right=h2
> >>     rightsubnet=s1
> >>     
> >>
> >> Peter McGill
> >>  
> >>
> > 
> 
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-294632
> 7?n=283155

More information about the Users mailing list