[Openswan Users] Routing to non open swan networks

Peter McGill petermcgill at goco.net
Mon Apr 20 10:23:16 EDT 2009 

First you have to understand that every communication path needs a conn definition.
You cannot route traffic into an ipsec tunnel, this is the way ipsec is designed.
Second each path must be allowed to pass through the firewall.
Third your using really old (buggy/broken) versions, you really should upgrade
all sites to openswan 2.4.14 from http://openswan.org/code/

For example (brussels ipsec.conf):
conn brussels-france
	left=brussels-internet-ip
	right=france-internet-ip
	leftsubnet=brussels-subnet
	rightsubnet=france-subnet
	...

conn japan-france
	left=brussels-internet-ip
	right=france-internet-ip
	leftsubnet=japan-subnet
	rightsubnet=france-subnet
	...

conn brussels-newsite1
	left=brussels-internet-ip
	right=newsite1-internet-ip
	leftsubnet=brussels-subnet
	rightsubnet=newsite1-subnet
	...

conn japan-newsite1
	left=brussels-internet-ip
	right=newsite1-internet-ip
	leftsubnet=japan-subnet
	rightsubnet=newsite1-subnet
	...

(france ipsec.conf):
conn brussels-france
	left=france-internet-ip
	right=brussels-internet-ip
	leftsubnet=france-subnet
	rightsubnet=brussels-subnet
	...

conn japan-france
	left=france-internet-ip
	right=brussels-internet-ip
	leftsubnet=france-subnet
	rightsubnet=japan-subnet
	...

conn france-newsite1
	left=france-internet-ip
	right=newsite1-internet-ip
	leftsubnet=france-subnet
	rightsubnet=newsite1-subnet
	...

(newsite1 ipsec.conf):
conn brussels-newsite1
	left=newsite1-internet-ip
	right=brussels-internet-ip
	leftsubnet=newsite1-subnet
	rightsubnet=brussels-subnet
	...

conn japan-newsite1
	left=newsite1-internet-ip
	right=brussels-internet-ip
	leftsubnet=newsite1-subnet
	rightsubnet=japan-subnet
	...

conn france-newsite1
	left=newsite1-internet-ip
	right=france-internet-ip
	leftsubnet=newsite1-subnet
	rightsubnet=france-subnet
	...

That's all the configuration needed for openswan. I use this method to connect 4 sites in a mesh +1 site off another like your japan
site, so I know it works. Note, your japan connection will also need to allow/route the new subnet traffic for the new sites. And
each openswan router should have a public internet ip, if it's instead behind a NAT router, then things get more complicated.

Peter McGill
IT Systems Analyst
Gra Ham Energy Limited 

> -----Original Message-----
> From: users-bounces at openswan.org 
> [mailto:users-bounces at openswan.org] On Behalf Of Ian Cottee
> Sent: April 20, 2009 9:27 AM
> To: users at openswan.org
> Subject: [Openswan Users] Routing to non open swan networks
> 
> I've had an OpenSwan/FreeSwan setup for quite a while. A customer of
> ours has a main office in Brussels and a satellite office in France.
> We connected the two together and due to history their main office is
> running a different version from the other.
> 
> On the main office ipsec --version is showing me:
> 
>     Linux FreeS/WAN U2.04/K(no kernel code presently loaded)
> 
> The brussels office shows me
> 
>     Linux Openswan U2.4.9/K2.6.24-19-server (netkey)
> 
> A little bit further along the line the office in Brussels had an
> external router connection to Japan put in and they asked us to allow
> for the users in France to connect through to it. I managed to get the
> VPNs to allow this although it took me a while. By looking at the
> configs it appears I duplicated the  connection for Brussels to Europe
> on both sides and just changed the europe side subnet  to be the
> Japanese network subnet. Then I did a "route add" on the Belgian
> firewall to route traffic to the Japanese router for the Japanese
> network. It worked, to my amazement.
> 
> Now we have two new offices running Ubuntu Hardy Heron. ipsec 
> version gives me.
> 
>     Linux Openswan U2.4.9/K2.6.24-19-server (netkey)
> 
> For the life of I can't get these new offices to talk to the Japanese
> network. The VPN connects, can talk to the Brussels office network but
> won't route through to Japan. Firewall rules seem fine, routing rules
> seem fine but I'm not even seeing packets attempt to hit the other
> side of the vpn. So before pouring out piles of barf and stuff can I
> ask a couple of simple questions:
> 
> 1. Would moving all nodes to the same version make this easier?
> 2. Is what I am trying to do documented specifically somewhere.
> 
> I've been through loads of docs. The closest I've found has been
> 
> http://wiki.openswan.org/index.php/Openswan/MultipleTunnelsBet
> weenTheSameTwoGateways
> 
> I can't get it to work but it would be helpful to know that is
> basically what I'm trying to replicate.
> 
> Any advice gratefully received - and if necessary I'll do a full list
> of the configs but would like to try and make some headway myself.
> 
> Ian
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-294632
> 7?n=283155

More information about the Users mailing list