[Openswan Users] VPN Network Structure

Peter McGill petermcgill at goco.net
Fri Nov 21 13:09:52 EST 2008 

Philip,

I think I understand what your asking, essentially to provide communication
to/from any subnet via IPSec you need to make a tunnel for that subnet.
(You cannot route traffic into a tunnel with routes.)

Since you haven't provided any subnet info, I'll use my own for an example.

I have 4 subnets (actually I have more, but 4 will provide the example.)

My London location has access to 2 subnets locally.
172.21.3.0/24 is the london lan, 172.21.11.0/24 is a subnet used for remote access.
My St. Marys location has access to 1 subnet locally.
172.21.1.0/24 is the st. marys lan.
My Highway #7 location has access to 1 subnet locally.
172.21.5.0/24 is the highway #7 lan.
St. Marys and Highway #7 are connected via direct dial-up since there
is no highspeed internet service available at the Highway #7 location.
We connect all four subnets by linking the London and St. Marys offices with openswan IPSec.

The relevant portion of my london ipsec.conf looks like this:

conn stmarys-office-net-to-london-office-net
        also=london-office
        leftsubnet=172.21.0.0/16
        leftsourceip=172.21.3.101
        alsoflip=stmarys-office
        rightsubnet=172.21.1.0/24
        auto=start

conn highway7-office-net-to-london-office-net
        also=london-office
        leftsubnet=172.21.0.0/16
        leftsourceip=172.21.3.101
        alsoflip=stmarys-office
        rightsubnet=172.21.5.0/24
        auto=start

conn london-office
        left=...
        leftnexthop=%defaultroute
        leftid=...
        leftrsasigkey=...

conn stmarys-office
        left=...
        leftnexthop=%defaultroute
        leftid=...
        leftrsasigkey=...

The relevant portion of my st. marys ipsec.conf looks like this:

conn stmarys-office-net-to-london-office-net
        also=stmarys-office
        leftsubnet=172.21.1.0/24
        leftsourceip=172.21.1.49
        alsoflip=london-office
        rightsubnet=172.21.0.0/16
        auto=start

conn highway7-office-net-to-london-office-net
        also=stmarys-office
        leftsubnet=172.21.5.0/24
        alsoflip=london-office
        rightsubnet=172.21.0.0/16
        auto=start

conn london-office
        left=...
        leftnexthop=%defaultroute
        leftid=...
        leftrsasigkey=...

conn stmarys-office
        left=...
        leftnexthop=%defaultroute
        leftid=...
        leftrsasigkey=...

Notice I've used two different methods for subnetting.

At the london office I've used the 172.21.0.0/16 subnet for the tunnel.
Which includes 172.21.3.0/24 and 172.21.11.0/24 in a single tunnel.
This works because routing uses the most specific route available, so
172.21.1.0/24 and 172.21.5.0/24 still get sent to the correct place,
even though they are also part of 172.21.0.0/16.

At the St. Marys office, I've used specific subnets, 1 tunnel for each.
So even though St. Marys only has 172.21.1.0/24 locally, I treat
172.21.5.0/24 as if it was a local lan in the ipsec.conf to provide
the ipsec tunnel for it. Local routing then passes it's traffic between
the dial-up connection and the IPSec tunnel.

All four subnet's can now communicate with each other.

Peter McGill
IT Systems Analyst
Gra Ham Energy Limited 

> -----Original Message-----
> From: users-bounces at openswan.org 
> [mailto:users-bounces at openswan.org] On Behalf Of Philip Mountifield
> Sent: November 21, 2008 8:05 AM
> To: Openswan
> Subject: [Openswan Users] VPN Network Structure
> 
> Hi,
> 
> I am a recent user of Openswan and this is my first posts to 
> the group, 
> so greetings to you all.
> 
> I am currently in the process of setting up an Openswan VPN server to 
> link to a number of devices such as Netgear routers (FVS114 
> and FVG318) 
> a Chinese CDMA router (running Linux and Freeswan 1.99) and a central 
> Openswan server (Openswan U2.6.14/K2.6.18-92.1.13.el5 (netkey)).
> 
> These devices are connected to the Openswan server and in their own 
> right communicate very well and reliably. I have also setup 
> the network 
> local to the server to be able to access the various subnets via the 
> server. Each device is on a different class C subnet with mask 
> 255.255.255.0, most are fixed external IP and the CDMA link 
> is dynamic.
> 
> With the setup described above I am able to access all of the subnets 
> from the Openswan server and local LAN (due to some static 
> routing info 
> added to the router), and I am able to access the local LAN of the 
> server from each of the subnets, but I am unsure how to alter 
> the setup 
> to allow selected subnets to communicate with each other via the 
> Openswan server. Should I make the central subnet a different 
> class such 
> as A or B and then extrude sections of this larger subnet through the 
> IPsec tunnels to the other locations or is there a way to pass 
> additional routing information to the devices to let them know that 
> certain other subnets are accessible through the VPN tunnel?
> 
> I am also unsure about how one should control which subnets can 
> communicate with one another? Can this be done by disabling ip 
> forwarding and instead construction some suitable iptables rules?
> 
> Any advice is appreciated.
> 
> Kind regards
> 
> Philip
> 
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-294632
> 7?n=283155

More information about the Users mailing list