[Openswan Users] Nesting configs

Larry Brown larry.brown at dimensionnetworks.com
Fri Jul 16 10:00:37 EDT 2010 

On Thu, 2010-07-15 at 23:08 -0500, Greg Scott wrote:
> I do nested includes using the technique Mike suggests.  Here are some
> samples taken from some of my tunnels in production:
> 
> FWIW, I always modify /etc/ipsec.conf to specifically include what I
> want.  I comment out the include *.conf line - I want to specify exactly
> what to include and in what order.  Some call this anal, I call it
> attention to detail.  :)
> 
> So /etc/ipsec.conf has a line that says include
> /etc/ipsec.d/hq-ipsec.conf.  Below is an extract from hq-ipsec.conf.
> Look at the very last line, where it includes sites.conf.  
> 
> conn colo-hqmain
>         type=tunnel
>         #
>         # Left security gateway, subnet behind it, next hop toward left.
>         #
>         also=colo
>         #
>         # Right security gateway, subnet behind it, next hop toward
> left.
>         #
>         also=hqmain
>         auto=start
> 
> conn colo-hqmirror
>         type=tunnel
>         #
>         # Left security gateway, subnet behind it, next hop toward left.
>         #
>         also=colo
>         #
>         # Right security gateway, subnet behind it, next hop toward
> left.
>         #
>         also=hqmirror
>         auto=start
> 
> include /etc/ipsec.d/sites.conf
> 
> **********************************************
> 
> And here's an extract from sites.conf.  I'm not doing road warriors -
> most of my scenarios are one HQ site with one or more fixed branch
> sites, but I think it's the same idea you want to use with your road
> warriors.  In my case, each site has an identical copy of sites.conf and
> a unique flavor of {sitename}-ipsec.conf.  This way, if I ever need to
> tunnel branch to branch they're all described in sites.conf.  I've been
> running this way for several years.  
> 
> conn hqmain
>         right=1.2.42.85
>         rightsubnet=175.10.0.0/16
>         rightnexthop=1.2.42.86
>         rightsourceip=175.10.0.1
>         rightid=@hqmain
>         ###     rightupdown=/etc/ipsec.d/hq-updown.sh
>         # rsakey AQOkh1tMU
>         rightrsasigkey=0sAQOkh...
> 
> conn hqmirror
>         right=1.2.42.85
>         rightsubnet=175.7.0.0/16
>         rightnexthop=1.2.42.86
>         rightsourceip=175.7.0.1
>         rightid=@hqmirror
>         # rsakey AQOkh1tMU
>         rightrsasigkey=0sAQOkh1t...
> 
> conn colo
>         left=3.4.64.169
>         leftsubnet=175.8.0.0/15
>         leftnexthop=3.4.64.174
>         leftsourceip=175.9.1.1
>         leftid=@colo
>         # RSA 2192 bits   colo-fw   Wed Nov 29 19:08:25 2006
>         leftrsasigkey=0sAQOSwRcj...
> 

I appreciate the examples.  That's a great way to organize 
between offices/branches.  In my case we will have 1000's of 
road warriors and so having individual files for each road 
warrior so connections can be added and removed by simply 
removing the files is attractive.

Now I just need to figure out how to size my Gateway to handle 
all of these connections :)

Thanks again guys...

More information about the Users mailing list