[Openswan Users] specifying remote subnets and connecting to individual hosts on a remote vpn

Frank Wilson frank.wilson at sidonis.com
Mon May 18 10:42:43 EDT 2009 

We managed to get the tunnel working on Friday. The guys on the other end
had their firewall configured wrongly.

Unfortunately, as we worked through various permutations of configurations
we finished with a per-host configuration (as opposed to a subnet based
configuration).

So instead of having this:

conn remote_site_subnet_a
   rightsubnet=10.130.245.105/30 # SMALL SUBNET A
   also=remote_site

conn remote_site_subnet_b
   rightsubnet=10.120.100.105/30 # SMALL SUBNET B
   also=remote_site

conn remote_site
   left=aa.bb.cc.dd # our public ip
   right=ww.xx.yy.zz # remote site vpn gateway (public ip)
   authby=secret
   keylife=3600s
   ikelifetime=28000s
   ike=aes128-sha1
   esp=aes128-sha1
   pfs=no
   auto=add

I have this:

conn remote_site_subnet_a1
   rightsubnet=10.130.245.105/32 # SINGLE HOST ONLY
   also=remote_site

conn remote_site_subnet_a2
   rightsubnet=10.130.245.106/32 # SINGLE HOST ONLY
   also=remote_site

...

conn remote_site_subnet_b1
   rightsubnet=10.120.100.105/32 # SINGLE HOST ONLY
   also=remote_site

...

conn remote_site
   left=aa.bb.cc.dd # our public ip
   right=ww.xx.yy.zz # remote site vpn gateway (public ip)
   authby=secret
   keylife=3600s
   ikelifetime=28000s
   ike=aes128-sha1
   esp=aes128-sha1
   pfs=no
   auto=add

Now if I wanted to bring this connection up manually I would need 6 commands
and not two as I did earlier. I can't go back to the subnet configuration 
because if Openswan doesn't announce that it wants to connect to individual
hosts
the CISCO ASA will kick me off. I can't really ask the guy on the other end
to
change his configuration for "aesthetic reasons".
In the end, if I have to, I'll write a script to launch all 6 commands.
However, I was wondering does openswan have any functionality to group
connections 
to individual hosts through a vpn gateway into one connection? 

I looked into policy groups but it seems that these are for groups of ipsec
peers, 
not hosts that you want to route through an ipsec peer.


Thanks,

Frank


-----Original Message-----
From: Paul Wouters [mailto:paul at xelerance.com] 
Sent: 15 May 2009 14:19
To: Frank Wilson
Cc: users at openswan.org
Subject: Re: [Openswan Users] specifying remote subnets and connecting to
individual hosts on a remote vpn

Ciscos tend to lie about that. eg they will allow phase 2, but still
drop the packets later. Ask the cisco admin what they configured
exactly.

Paul

More information about the Users mailing list