[Openswan Users] Multiple RoadWarrior
paul at xelerance.com
Mon Apr 26 13:37:05 EDT 2010
On Sun, 25 Apr 2010, Kail wrote:
> i'd like to ask for advice regarding the use of ipsec and openswan in
> somehow a strange situation; please excuse me if this isn't the right
> I've a ipsec gateway server (let's call it 'gw' ) with openswan
> installed; it has a single interface (eth0) connected with a public
> static ip.
> Then, i've hundreds of RoadWarriors systems ( called 'rw' ) composed
> by 2 pieces:
> - a gw with one interface connected to internet ( ppp0 ) with dynamic
> ip and one internal interface ( eth0 )
> - another pc ( 'peer' ), the one i want to reach connected on the same
> net as the internal interface of the local gw
That should work fine.
> So, i've:
> First RoadWarrior
> Second RoadWarrior
> The RoadWarriors don't run openswan, they're embedded devices. Only
> PSK auth supported.
> I have the following constraints:
> - all RoadWarriors's tunnels can be active at the same time
> - RoadWarriors can't reach others RW via ipsec tunnels even if someone
> changes their configuration ( assume they are not in a safe place )
> - "Peer" can reach the GW using the tunnel ( GW has a tunneled ipaddr )
> - GW can reach all RoadWarriors's 'peer' whose gw have the tunnel up,
> at the same time
Should be fine too.
> conn roadwarrior-base
Where does 10.0.0.1/32 come from? It should not be needed. Unless
you specifically want 1 internal IP to be reachable.
> conn roadwarrior1
> conn roadwarrior2
So you are building two tunnels? from 10.0.0.1/32 to 10.1.1.0/24 and 10.1.2.0/24.
Oh I see. Each raodwarrior has its own subnet? Then you most likely will need
to specify a rightid=@roadwarriorX in conn roadwarriorX and leftid=@server in
More information about the Users