[Openswan Users] Multi-hop IPSec

Paul Wouters paul at xelerance.com
Fri Nov 18 11:41:10 EST 2011 

On Fri, 18 Nov 2011, Kevin Keane (subscriptions) wrote:

You cannot "route add" into an ipsec tunnel. these tunnels have policy
checks.

Either you setup a subnet-0.0.0.0/0 from leaf to hub, so the other
leaves are covered in that tunnel, or you need to have seperate
tunnels defined via the hub, so  subA-hub and subA-subB on each
leaf (and hub)

say:

Leaf 1                 hub                  leaf 2
10.0.1.0/24  ------ 10.0.2.0/24 --------- 10.0.3.0/24

Then on leaf one you need:

conn tohub
   leftsubnet=10.0.1.0/24
   rightsubnet=10.0.2.0/24

conn toleaf2
   leftsubnet=10.0.1.0/24
   rightsubnet=10.0.3.0/24

You also need to exclude NAT from 10.0.1.0/24 to both 10.0.2.0/24 and 10.0.3.0/24.

And repet this on leaf2. And on hub ensure it can route from one tunnel into the
next, which with NETKEY can get tricky if this is the same physical interface.
Look at the sysctl.conf we ship as example to supress NETKEY from causing bogus
redirect ICMP packets.

Paul

> Date: Fri, 18 Nov 2011 07:11:23
> From: "Kevin Keane (subscriptions)" <subscription at kkeane.com>
> To: "users at openswan.org" <users at openswan.org>
> Subject: [Openswan Users] Multi-hop IPSec
> X-Spam-Flag: NO
> 
> I would like to connect two sites with IPSec, and would like some help setting it up correctly. Most everything works, except that the two private subnets behind the gateways can't reach each other.
>
> All devices use openswan 2.6.21 on CentOS 5.7, except for a fairly new Sonicwall device.
>
> Site 1 has an unencrypted 192.168.0.0 network behind a Sonicwall gateway.
>
> Site 2 consists of two computers in a data center. Each computer has two NICs - one has a public IP address and connects to the Internet, the other connects to a private network in a 10.1.2.0 network. The private network is untrusted, so I am using IPSec over the 10.1.2.0 network to connect the two servers. I also want to use one of these two computers as a gateway to an IPSec connection to the Sonicwall.
>
> Individually, these two IPSec connections work without a problem. But traffic from the non-gateway computer to the network behind the Sonicwall does not work, even though IP forwarding is enabled.
>
> Here is a diagram:
>
> Server 1 public (eth0,57.6.7.8 - default GW)
> Server 1 private (eth1,10.1.2.17)
>        ||
> Server 2 private (eth1,10.1.2.98)
> Server 2 public (eth0,57.3.4.5 - default GW) ===== Sonicwall gateway (68.6.7.8) ------ 192.168.0.0/24
>
> The connection between Server 2 and Sonicwall has
>
> Leftsubnets=10.1.2.98/32,10.1.2.17/32,57.3.4.5/32
> Rightsubnet=192.168.0.0/24
>
> The connection between Server 2 and Server 1 has
>
> Leftsubnet=10.1.2.98/32
> Rightsubnet=10.1.2.17/32
>
> I also added a route on Server 1: 192.168.0.0/24 via 10.1.2.98 dev eth1
>
> With this configuration, I can ping between Server 2 and 192.168.0.19. I cannot ping between Server 1 and 192.168.0.19.
>
> Any idea about where I may have gone wrong would help!
>
> How would I go about troubleshooting this problem?
>
> Thanks!
>
>
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>

More information about the Users mailing list