[Openswan Users] VPN Network Structure
Philip Mountifield
pmountifield at formac.net
Tue Nov 25 09:00:31 EST 2008
Peter,
Many thanks for your advice. By using the larger subnet for the server
end of the configuration the traffic passes to the server as I wanted
and can then be passed on to another tunnel. I also see that it passes
through the standard iptables rules which has allowed me to control what
may communicate with each other.
Kind regards
Philip Mountifield
Peter McGill wrote:
> Philip,
>
> I think I understand what your asking, essentially to provide communication
> to/from any subnet via IPSec you need to make a tunnel for that subnet.
> (You cannot route traffic into a tunnel with routes.)
>
> Since you haven't provided any subnet info, I'll use my own for an example.
>
> I have 4 subnets (actually I have more, but 4 will provide the example.)
>
> My London location has access to 2 subnets locally.
> 172.21.3.0/24 is the london lan, 172.21.11.0/24 is a subnet used for remote access.
> My St. Marys location has access to 1 subnet locally.
> 172.21.1.0/24 is the st. marys lan.
> My Highway #7 location has access to 1 subnet locally.
> 172.21.5.0/24 is the highway #7 lan.
> St. Marys and Highway #7 are connected via direct dial-up since there
> is no highspeed internet service available at the Highway #7 location.
> We connect all four subnets by linking the London and St. Marys offices with openswan IPSec.
>
> The relevant portion of my london ipsec.conf looks like this:
>
> conn stmarys-office-net-to-london-office-net
> also=london-office
> leftsubnet=172.21.0.0/16
> leftsourceip=172.21.3.101
> alsoflip=stmarys-office
> rightsubnet=172.21.1.0/24
> auto=start
>
> conn highway7-office-net-to-london-office-net
> also=london-office
> leftsubnet=172.21.0.0/16
> leftsourceip=172.21.3.101
> alsoflip=stmarys-office
> rightsubnet=172.21.5.0/24
> auto=start
>
> conn london-office
> left=...
> leftnexthop=%defaultroute
> leftid=...
> leftrsasigkey=...
>
> conn stmarys-office
> left=...
> leftnexthop=%defaultroute
> leftid=...
> leftrsasigkey=...
>
> The relevant portion of my st. marys ipsec.conf looks like this:
>
> conn stmarys-office-net-to-london-office-net
> also=stmarys-office
> leftsubnet=172.21.1.0/24
> leftsourceip=172.21.1.49
> alsoflip=london-office
> rightsubnet=172.21.0.0/16
> auto=start
>
> conn highway7-office-net-to-london-office-net
> also=stmarys-office
> leftsubnet=172.21.5.0/24
> alsoflip=london-office
> rightsubnet=172.21.0.0/16
> auto=start
>
> conn london-office
> left=...
> leftnexthop=%defaultroute
> leftid=...
> leftrsasigkey=...
>
> conn stmarys-office
> left=...
> leftnexthop=%defaultroute
> leftid=...
> leftrsasigkey=...
>
> Notice I've used two different methods for subnetting.
>
> At the london office I've used the 172.21.0.0/16 subnet for the tunnel.
> Which includes 172.21.3.0/24 and 172.21.11.0/24 in a single tunnel.
> This works because routing uses the most specific route available, so
> 172.21.1.0/24 and 172.21.5.0/24 still get sent to the correct place,
> even though they are also part of 172.21.0.0/16.
>
> At the St. Marys office, I've used specific subnets, 1 tunnel for each.
> So even though St. Marys only has 172.21.1.0/24 locally, I treat
> 172.21.5.0/24 as if it was a local lan in the ipsec.conf to provide
> the ipsec tunnel for it. Local routing then passes it's traffic between
> the dial-up connection and the IPSec tunnel.
>
> All four subnet's can now communicate with each other.
>
> Peter McGill
> IT Systems Analyst
> Gra Ham Energy Limited
>
>
>> -----Original Message-----
>> From: users-bounces at openswan.org
>> [mailto:users-bounces at openswan.org] On Behalf Of Philip Mountifield
>> Sent: November 21, 2008 8:05 AM
>> To: Openswan
>> Subject: [Openswan Users] VPN Network Structure
>>
>> Hi,
>>
>> I am a recent user of Openswan and this is my first posts to
>> the group,
>> so greetings to you all.
>>
>> I am currently in the process of setting up an Openswan VPN server to
>> link to a number of devices such as Netgear routers (FVS114
>> and FVG318)
>> a Chinese CDMA router (running Linux and Freeswan 1.99) and a central
>> Openswan server (Openswan U2.6.14/K2.6.18-92.1.13.el5 (netkey)).
>>
>> These devices are connected to the Openswan server and in their own
>> right communicate very well and reliably. I have also setup
>> the network
>> local to the server to be able to access the various subnets via the
>> server. Each device is on a different class C subnet with mask
>> 255.255.255.0, most are fixed external IP and the CDMA link
>> is dynamic.
>>
>> With the setup described above I am able to access all of the subnets
>> from the Openswan server and local LAN (due to some static
>> routing info
>> added to the router), and I am able to access the local LAN of the
>> server from each of the subnets, but I am unsure how to alter
>> the setup
>> to allow selected subnets to communicate with each other via the
>> Openswan server. Should I make the central subnet a different
>> class such
>> as A or B and then extrude sections of this larger subnet through the
>> IPsec tunnels to the other locations or is there a way to pass
>> additional routing information to the devices to let them know that
>> certain other subnets are accessible through the VPN tunnel?
>>
>> I am also unsure about how one should control which subnets can
>> communicate with one another? Can this be done by disabling ip
>> forwarding and instead construction some suitable iptables rules?
>>
>> Any advice is appreciated.
>>
>> Kind regards
>>
>> Philip
>>
>> _______________________________________________
>> Users at openswan.org
>> http://lists.openswan.org/mailman/listinfo/users
>> Building and Integrating Virtual Private Networks with Openswan:
>> http://www.amazon.com/gp/product/1904811256/104-3099591-294632
>> 7?n=283155
>>
>
>
More information about the Users
mailing list