[Openswan Users] Multiple left and right subnets
Paul Wouters
paul at xelerance.com
Thu May 7 16:21:44 EDT 2009
On Thu, 7 May 2009, Laurent CARON wrote:
> Managing tunnels becomes a real nightmare considering:
> - 10 boxes
> - 10 subnets behind each box
>
> It means a real lot of tunnels since the subnets are not contiguous
> (192.168.0.0/24 172.16.0.0/26 10.0.0.0/19 ...)
>
> What is the best way to deal with such a situation to avoid having 10
> times the same subnet declarations ?
There are a few ways. Using the also= keyword, you can create
sections that can be used via include in ipsec.conf. You can
then create one include file, and push this to all machines.
then you can use something like
conn NetA-NetB
rightsubnet=xxxx
leftsubnet=yyyyy
also=base-gwA
also=base-gwB
auto=start
conn base-gwA
left=1.2.3.4
leftrsasigkey=xxxxx
conn base-gwB
right=5.6.7.8
rightrsasigkey=xxxxx
On openswan-2.4.x you can use the alsoflip= keyword to have it flip
the left and right, so you don't get conflicts with two base conns.
On openswan-2.6.x you can use the leftsubnets= and rightsubnets= keyword.
Note these are plural. eg you can use:
leftsubnets={1.2.3.0/24,5.6.7.0/24,10.10.0.0/16}
rightsubnets={3.2.1.0/24,10.200.11.0/24,12.12.0.0/16}
This will cause openswan to instantiate 3x3=9 tunnels.
Paul
More information about the Users
mailing list