[Openswan Users] Multiple RoadWarrior

Kail kaildio at gmail.com
Mon Apr 26 16:05:50 EDT 2010 

Hi Paul,

thank you very much for the help.

On Mon, Apr 26, 2010 at 7:37 PM, Paul Wouters <paul at xelerance.com> wrote:
> On Sun, 25 Apr 2010, Kail wrote:
>
>> i'd like to ask for advice regarding the use of ipsec and openswan in
>> somehow a strange situation; please excuse me if this isn't the right
>> place.
>>
>> I've a ipsec gateway server (let's call it 'gw' ) with openswan
>> installed; it has a single interface (eth0) connected with a public
>> static ip.
>>
>> Then, i've hundreds of RoadWarriors systems ( called 'rw' ) composed
>> by 2 pieces:
>> - a gw with one interface connected to internet ( ppp0 ) with dynamic
>> ip and one internal interface ( eth0 )
>> - another pc ( 'peer' ), the one i want to reach connected on the same
>> net as the internal interface of the local gw
>
> That should work fine.
>
>> So, i've:
>>
>> gw:eth0:80.180.192.xxx
>>
>> First RoadWarrior
>> rw1:gw:ppp0:unknown
>> rw1:gw:eth0:10.1.1.1/24
>> rw1:peer:eth0:10.1.1.2/24
>>
>> Second RoadWarrior
>> rw2:gw:ppp0:unknown
>> rw2:gw:eth0:10.1.2.1/24
>> rw2:peer:eth0:10.1.2.2/24
>>
>> The RoadWarriors don't run openswan, they're embedded devices. Only
>> PSK auth supported.
>>
>> I have the following constraints:
>> - all RoadWarriors's tunnels can be active at the same time
>> - RoadWarriors can't reach others RW via ipsec tunnels even if someone
>> changes their configuration ( assume they are not in a safe place )
>> - "Peer" can reach the GW using the tunnel ( GW has a tunneled ipaddr )
>> - GW can reach all RoadWarriors's 'peer' whose gw have the tunnel up,
>> at the same time
>
> Should be fine too.
>
>> conn roadwarrior-base
>>       pfs=no
>>       left=%defaultroute
>>       leftsubnet=10.0.0.1/32
>
> Where does 10.0.0.1/32 come from? It should not be needed. Unless
> you specifically want 1 internal IP to be reachable.

True. Roadwarriors only need to reach the GW at the moment.

>>       leftsourceip=10.0.0.1
>
>>       right=%any
>>       auto=add
>>
>> conn roadwarrior1
>>       rightsubnet=10.1.1.0/24
>>       also=roadwarrior-base
>>
>> conn roadwarrior2
>>       rightsubnet=10.1.2.0/24
>>       also=roadwarrior-base
>
> So you are building two tunnels? from 10.0.0.1/32 to 10.1.1.0/24 and
> 10.1.2.0/24.
> Oh I see. Each raodwarrior has its own subnet? Then you most likely will
> need
> to specify a rightid=@roadwarriorX in conn roadwarriorX and leftid=@server
> in
> roadwarror-base

I need all roadwarriors to be connected at the same time and the GW to
reach each one of them.
There is a way to achieve this without splitting the subnets? How does
the GW choose which tunnel to use if i don't use different subnets?

--
Andrea

>
> Paul
>

More information about the Users mailing list