[Openswan Users] Multi-hop IPSec

Kevin Keane (subscriptions) subscription at kkeane.com
Fri Nov 18 17:16:23 EST 2011 

Thanks for that quick response!

In my situation, I really have two hubs chained together.

Leaf 1                 hub 1                       hub 2                leaf 2
10.0.1.0/24  ------ 10.0.2.0/24
57.0.1.0/24           57.0.2.0/24 ----- 10.0.4.0/24 ------- 10.0.3.0/24

There is no NAT involved, but hub 1 has to do routing because the two IPSec tunnels are on different network interfaces (hub 2 does NAT for leaf 2, but since hub1 and leaf 2 can talk, there doesn't seem to be a problem with that). By the way, the reason for using the 10.x network between leaf1 and hub1 is cost - I have to pay for bandwidth on the default gateway, but not on the private network.

Can you elaborate on not doing the route add? The reason I thought I needed it is that the default gateway for leaf 1 is eth0 (57.0.1.0 in the above diagram). The IPSec tunnel is on eth1. So without a routing table entry, leaf 1 would send traffic to 10.0.3.0 out on the public Internet instead of through the IPSec tunnel to hub 1. If route add doesn't help, how would I direct leaf 1 to send traffic through the tunnel?

I had already configured the sysctl.conf settings - I just double-checked:

net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.send_redirects = 0

> -----Original Message-----
> From: Paul Wouters [mailto:paul at xelerance.com]
> Sent: Friday, November 18, 2011 8:41 AM
> To: Kevin Keane (subscriptions)
> Cc: users at openswan.org
> Subject: Re: [Openswan Users] Multi-hop IPSec
> 
> On Fri, 18 Nov 2011, Kevin Keane (subscriptions) wrote:
> 
> You cannot "route add" into an ipsec tunnel. these tunnels have policy checks.
> 
> Either you setup a subnet-0.0.0.0/0 from leaf to hub, so the other leaves are
> covered in that tunnel, or you need to have seperate tunnels defined via the
> hub, so  subA-hub and subA-subB on each leaf (and hub)
> 
> say:
> 
> Leaf 1                 hub                  leaf 2
> 10.0.1.0/24  ------ 10.0.2.0/24 --------- 10.0.3.0/24
> 
> Then on leaf one you need:
> 
> conn tohub
>    leftsubnet=10.0.1.0/24
>    rightsubnet=10.0.2.0/24
> 
> conn toleaf2
>    leftsubnet=10.0.1.0/24
>    rightsubnet=10.0.3.0/24
> 
> You also need to exclude NAT from 10.0.1.0/24 to both 10.0.2.0/24 and
> 10.0.3.0/24.
> 
> And repet this on leaf2. And on hub ensure it can route from one tunnel into
> the next, which with NETKEY can get tricky if this is the same physical interface.
> Look at the sysctl.conf we ship as example to supress NETKEY from causing
> bogus redirect ICMP packets.
> 
> Paul
> 
> > Date: Fri, 18 Nov 2011 07:11:23
> > From: "Kevin Keane (subscriptions)" <subscription at kkeane.com>
> > To: "users at openswan.org" <users at openswan.org>
> > Subject: [Openswan Users] Multi-hop IPSec
> > X-Spam-Flag: NO
> >
> > I would like to connect two sites with IPSec, and would like some help setting
> it up correctly. Most everything works, except that the two private subnets
> behind the gateways can't reach each other.
> >
> > All devices use openswan 2.6.21 on CentOS 5.7, except for a fairly new
> Sonicwall device.
> >
> > Site 1 has an unencrypted 192.168.0.0 network behind a Sonicwall gateway.
> >
> > Site 2 consists of two computers in a data center. Each computer has two
> NICs - one has a public IP address and connects to the Internet, the other
> connects to a private network in a 10.1.2.0 network. The private network is
> untrusted, so I am using IPSec over the 10.1.2.0 network to connect the two
> servers. I also want to use one of these two computers as a gateway to an IPSec
> connection to the Sonicwall.
> >
> > Individually, these two IPSec connections work without a problem. But traffic
> from the non-gateway computer to the network behind the Sonicwall does not
> work, even though IP forwarding is enabled.
> >
> > Here is a diagram:
> >
> > Server 1 public (eth0,57.6.7.8 - default GW) Server 1 private
> > (eth1,10.1.2.17)
> >        ||
> > Server 2 private (eth1,10.1.2.98)
> > Server 2 public (eth0,57.3.4.5 - default GW) ===== Sonicwall gateway
> > (68.6.7.8) ------ 192.168.0.0/24
> >
> > The connection between Server 2 and Sonicwall has
> >
> > Leftsubnets=10.1.2.98/32,10.1.2.17/32,57.3.4.5/32
> > Rightsubnet=192.168.0.0/24
> >
> > The connection between Server 2 and Server 1 has
> >
> > Leftsubnet=10.1.2.98/32
> > Rightsubnet=10.1.2.17/32
> >
> > I also added a route on Server 1: 192.168.0.0/24 via 10.1.2.98 dev
> > eth1
> >
> > With this configuration, I can ping between Server 2 and 192.168.0.19. I
> cannot ping between Server 1 and 192.168.0.19.
> >
> > Any idea about where I may have gone wrong would help!
> >
> > How would I go about troubleshooting this problem?
> >
> > Thanks!
> >
> >
> > _______________________________________________
> > Users at openswan.org
> > http://lists.openswan.org/mailman/listinfo/users
> > Micropayments:
> > https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> > Building and Integrating Virtual Private Networks with Openswan:
> > http://www.amazon.com/gp/product/1904811256/104-3099591-
> 2946327?n=283155
> >

More information about the Users mailing list