[Openswan Users] hi, does openswan support multiple instances on one server.?

Michael H. Warfield mhw at WittsEnd.com
Sun May 22 09:51:14 EDT 2011


On Sat, 2011-05-21 at 20:00 +0800, Spacelee wrote: 
> On Sat, May 21, 2011 at 6:49 PM, Erich Titl <erich.titl at think.ch> wrote:
> 
> > Hi
> >
> > on 21.05.2011 03:02, Spacelee wrote:
> > > I see that OpenVPN supports this, so that each instances can listen on
> > > different ports, so different clients could connect to different ports,
> > > and each of client uses a unique tunnel.
> > > Does OpenSwan support this?
> >
> > OpenSwan is fundamentally different to OpenVpn as in OpenSwan (IPSEC)
> > there is no notion of a 'client'. You could probably call this an
> > initiator.
> >
> > You can define multiple interfaces on a single host and each interface
> > can have multiple connections. As most operations are handled in kernel
> > space, as opposed to OpenVPN, where most things are done in user space,
> > there is typically no need for multiple instances.
> >
> > What exactly do you want to achieve?
> >

> for example, I have 2 ip address, and I need staff and manager use different
> ip address.
> 1. 192.168.1.100
> 2. 192.168.1.101

> Staff could use only ip1, and manager could only use ip2, and it's different
> tunnel...The two ip addresses are binded to one machine. So I think I need
> to start 2 openswan instances and two xl2tpd instances to severs this?

What you're describing is one of the fundamental failings or limitations
of OpenVPN that you need to run multiple instances of OpenVPN, unless
you're running OpenVPN in "server" mode (which is IPv4 only), in order
to support multiple unique tunnels, and then each instance needs its own
unique IP address or port number.  As other have already mentioned,
Openswan is not so badly constrained and supporting multiple unique
tunnels and only needs one instantiation of Pluto, the IKE keying
daemon, and the tunnels are anchored in the kernel space transforms, not
in the user space daemon instantiations.  This is one reason trying to
implement a "mesh" VPN network in OpenVPN is next to impossible for
almost any non-trivial meshes. 

For reference, I uses both, and have for many many years, but for
different things.  I use Openswan, IPSec for all my "heavy lifting" and
I use Openvpn as a road warrior IPv6 tunnel broker service for myself
when I'm on the road.  I understand now that, if I switch to IKEv2 I may
even be able to tunnel IPv6 directly on IPv4 like OpenVPN and may even
be able to eliminated OpenVPN for that.

> >
> > cheers
> >
> > Erich
> > _______________________________________________
> > Users at openswan.org
> > http://lists.openswan.org/mailman/listinfo/users
> > Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> > Building and Integrating Virtual Private Networks with Openswan:
> > http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
> >
> 
> 
> 
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
Url : http://lists.openswan.org/pipermail/users/attachments/20110522/9a1f9bee/attachment.bin 


More information about the Users mailing list