[Openswan Users] Nesting configs

Greg Scott GregScott at Infrasupport.com
Fri Jul 16 00:08:46 EDT 2010 

I do nested includes using the technique Mike suggests.  Here are some
samples taken from some of my tunnels in production:

FWIW, I always modify /etc/ipsec.conf to specifically include what I
want.  I comment out the include *.conf line - I want to specify exactly
what to include and in what order.  Some call this anal, I call it
attention to detail.  :)

So /etc/ipsec.conf has a line that says include
/etc/ipsec.d/hq-ipsec.conf.  Below is an extract from hq-ipsec.conf.
Look at the very last line, where it includes sites.conf.  

conn colo-hqmain
        type=tunnel
        #
        # Left security gateway, subnet behind it, next hop toward left.
        #
        also=colo
        #
        # Right security gateway, subnet behind it, next hop toward
left.
        #
        also=hqmain
        auto=start

conn colo-hqmirror
        type=tunnel
        #
        # Left security gateway, subnet behind it, next hop toward left.
        #
        also=colo
        #
        # Right security gateway, subnet behind it, next hop toward
left.
        #
        also=hqmirror
        auto=start

include /etc/ipsec.d/sites.conf

**********************************************

And here's an extract from sites.conf.  I'm not doing road warriors -
most of my scenarios are one HQ site with one or more fixed branch
sites, but I think it's the same idea you want to use with your road
warriors.  In my case, each site has an identical copy of sites.conf and
a unique flavor of {sitename}-ipsec.conf.  This way, if I ever need to
tunnel branch to branch they're all described in sites.conf.  I've been
running this way for several years.  

conn hqmain
        right=1.2.42.85
        rightsubnet=175.10.0.0/16
        rightnexthop=1.2.42.86
        rightsourceip=175.10.0.1
        rightid=@hqmain
        ###     rightupdown=/etc/ipsec.d/hq-updown.sh
        # rsakey AQOkh1tMU
        rightrsasigkey=0sAQOkh...

conn hqmirror
        right=1.2.42.85
        rightsubnet=175.7.0.0/16
        rightnexthop=1.2.42.86
        rightsourceip=175.7.0.1
        rightid=@hqmirror
        # rsakey AQOkh1tMU
        rightrsasigkey=0sAQOkh1t...

conn colo
        left=3.4.64.169
        leftsubnet=175.8.0.0/15
        leftnexthop=3.4.64.174
        leftsourceip=175.9.1.1
        leftid=@colo
        # RSA 2192 bits   colo-fw   Wed Nov 29 19:08:25 2006
        leftrsasigkey=0sAQOSwRcj...



-----Original Message-----
From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On
Behalf Of Michael Smith
Sent: Thursday, July 15, 2010 8:05 AM
To: Larry Brown
Cc: OpenSwan
Subject: Re: [Openswan Users] Nesting configs

Larry Brown wrote:

> ipsec.conf:
> ---------------------------------------------
> version 2.0
> 
> config setup
> 
> 	nat_traversal=yes
> 	oe=off
> 	vitual_private=%v4:192.168.0.0/24,%v4:!172.16.0.0/24
> 	protostack=netkey
> 
> include /etc/ipsec.d/include/ipsec.*.conf

That's OK.

> -----------------------------------------------
> conn r101
> 
> 	include leftSide

You can't include from inside a connection block. What you might want to

do is create a file, zz99leftside.conf, with "conn leftside" containing 
the items you need. Then refer to it with "also=leftside" in your other 
connections.

The file has to be included after all the other files so they can 
reference it with "also" - since "*" matches in alphabetical order, the 
zz99 takes care of that.

Mike
_______________________________________________
Users at openswan.org
http://lists.openswan.org/mailman/listinfo/users
Building and Integrating Virtual Private Networks with Openswan: 
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

More information about the Users mailing list