[Openswan Users] Multiple RoadWarrior

Paul Wouters paul at xelerance.com
Mon Apr 26 13:37:05 EDT 2010 

On Sun, 25 Apr 2010, Kail wrote:

> i'd like to ask for advice regarding the use of ipsec and openswan in
> somehow a strange situation; please excuse me if this isn't the right
> place.
>
> I've a ipsec gateway server (let's call it 'gw' ) with openswan
> installed; it has a single interface (eth0) connected with a public
> static ip.
>
> Then, i've hundreds of RoadWarriors systems ( called 'rw' ) composed
> by 2 pieces:
> - a gw with one interface connected to internet ( ppp0 ) with dynamic
> ip and one internal interface ( eth0 )
> - another pc ( 'peer' ), the one i want to reach connected on the same
> net as the internal interface of the local gw

That should work fine.

> So, i've:
>
> gw:eth0:80.180.192.xxx
>
> First RoadWarrior
> rw1:gw:ppp0:unknown
> rw1:gw:eth0:10.1.1.1/24
> rw1:peer:eth0:10.1.1.2/24
>
> Second RoadWarrior
> rw2:gw:ppp0:unknown
> rw2:gw:eth0:10.1.2.1/24
> rw2:peer:eth0:10.1.2.2/24
>
> The RoadWarriors don't run openswan, they're embedded devices. Only
> PSK auth supported.
>
> I have the following constraints:
> - all RoadWarriors's tunnels can be active at the same time
> - RoadWarriors can't reach others RW via ipsec tunnels even if someone
> changes their configuration ( assume they are not in a safe place )
> - "Peer" can reach the GW using the tunnel ( GW has a tunneled ipaddr )
> - GW can reach all RoadWarriors's 'peer' whose gw have the tunnel up,
> at the same time

Should be fine too.

> conn roadwarrior-base
>        pfs=no
>        left=%defaultroute
>        leftsubnet=10.0.0.1/32

Where does 10.0.0.1/32 come from? It should not be needed. Unless
you specifically want 1 internal IP to be reachable.

>        leftsourceip=10.0.0.1

>        right=%any
>        auto=add
>
> conn roadwarrior1
>        rightsubnet=10.1.1.0/24
>        also=roadwarrior-base
>
> conn roadwarrior2
>        rightsubnet=10.1.2.0/24
>        also=roadwarrior-base

So you are building two tunnels? from 10.0.0.1/32 to 10.1.1.0/24 and 10.1.2.0/24.
Oh I see. Each raodwarrior has its own subnet? Then you most likely will need
to specify a rightid=@roadwarriorX in conn roadwarriorX and leftid=@server in
roadwarror-base

Paul

More information about the Users mailing list