[Openswan Users] Multiple RoadWarrior

[Kail]

Dear all,

i'd like to ask for advice regarding the use of ipsec and openswan in
somehow a strange situation; please excuse me if this isn't the right
place.

I've a ipsec gateway server (let's call it 'gw' ) with openswan
installed; it has a single interface (eth0) connected with a public
static ip.

Then, i've hundreds of RoadWarriors systems ( called 'rw' ) composed
by 2 pieces:
- a gw with one interface connected to internet ( ppp0 ) with dynamic
ip and one internal interface ( eth0 )
- another pc ( 'peer' ), the one i want to reach connected on the same
net as the internal interface of the local gw

So, i've:

gw:eth0:80.180.192.xxx

First RoadWarrior
rw1:gw:ppp0:unknown
rw1:gw:eth0:10.1.1.1/24
rw1:peer:eth0:10.1.1.2/24

Second RoadWarrior
rw2:gw:ppp0:unknown
rw2:gw:eth0:10.1.2.1/24
rw2:peer:eth0:10.1.2.2/24

The RoadWarriors don't run openswan, they're embedded devices. Only
PSK auth supported.

I have the following constraints:
- all RoadWarriors's tunnels can be active at the same time
- RoadWarriors can't reach others RW via ipsec tunnels even if someone
changes their configuration ( assume they are not in a safe place )
- "Peer" can reach the GW using the tunnel ( GW has a tunneled ipaddr )
- GW can reach all RoadWarriors's 'peer' whose gw have the tunnel up,
at the same time

I can't use Opportunistic.

Is this technically possible? Which are the "trickiest" parts?

Can you please point me toward the right openswan settings?
Here is my guess, to be tested since roadwarriors are not ready yet.

conn roadwarrior-base
        pfs=no
        left=%defaultroute
        leftsubnet=10.0.0.1/32
        leftsourceip=10.0.0.1
        right=%any
        auto=add

conn roadwarrior1
        rightsubnet=10.1.1.0/24
        also=roadwarrior-base

conn roadwarrior2
        rightsubnet=10.1.2.0/24
        also=roadwarrior-base

Thanks for your time reading this.

Best regards,
Andrea Cuneo