[Openswan Users] assistance with atypical configuration

Roel van Meer rolek at bokxing.nl
Wed Nov 10 02:13:39 EST 2010

Neal Murphy writes:

> On Tuesday 09 November 2010 12:30:08 Frank Temple wrote:
>> I am investigating how to configure the network detailed below. I am aware
>> that some manual scripting may be required. All of the hosts are using
>> openswan.
>> A--------B-------D
>> A--------C-------D
>> There are four hosts. The tunnels are detailed with the lines above. The
>> objective is to permit A to communicate with D through B or C. A needs to
>> route to D in the morning via B and in the afternoon via C. This is the
>> part where I assume some manual scripting may be required. I can do that
>> part, I just need to learn what needs to be done. The private IP for D
>> should be the same for A independent of the tunnel (B,C) selected.
> Every *routed* LAN must have a unique address.
> Using two routes equally involves 'policy routing'. Take a gander at 
> lartc.org; in Linux at least, you can configure both A and D to balance the 
> traffic between each other using both B and C.
> If you really have to have overlapping (or concurrent) subnets at A and D, you 
> will have to find a way to bridge the two LANs across the IPSEC tunnels. My 
> simple mind say, "Lift layer 2 into a point-to-point tunnel between A and D."

I agree. I also thought up a rather complex scenario involving lots of 
NATting, but that wouldn't meet the requirement that a change of tunnels 
would not cause any data loss.

If you could drop the requirement that A and D need to be reachable by the 
same IP address depending on the tunnel selected, things get easier very 
quickly. I'm wondering, would it be acceptible to give D two IP addresses 
and use NAT to ensure traffic arriving at D always has the same destination 
address? I can understand that you'd like A to always be able to talk to the 
same IP address of D, but does it need to be that way physically as well?



More information about the Users mailing list