[Openswan Users] Multi-hop IPSec
Paul Wouters
paul at xelerance.com
Fri Nov 18 18:26:07 EST 2011
On Fri, 18 Nov 2011, Kevin Keane (subscriptions) wrote:
> In my situation, I really have two hubs chained together.
>
> Leaf 1 hub 1 hub 2 leaf 2
> 10.0.1.0/24 ------ 10.0.2.0/24
> 57.0.1.0/24 57.0.2.0/24 ----- 10.0.4.0/24 ------- 10.0.3.0/24
not sure i understand this, but if you want 10.0.1.0/24 to reach 10.0.3.0/24,
then you need to build an ipsec tunnel with leftsubnet=10.0.1.0/24 and rightsubnet=10.0.3.0/24
If you also want to reachh 10.0.4.0/24 from 10.0.1.0/24 then you need to add a second conn for that
or use rightsubnets={10.0.2.0/24, 10.0.3.0/24}
> There is no NAT involved, but hub 1 has to do routing because the two IPSec tunnels are on different network interfaces (hub 2 does NAT for leaf 2, but since hub1 and leaf 2 can talk, there doesn't seem to be a problem with that). By the way, the reason for using the 10.x network between leaf1 and hub1 is cost - I have to pay for bandwidth on the default gateway, but not on the private network.
>
> Can you elaborate on not doing the route add? The reason I thought I needed it is that the default gateway for leaf 1 is eth0 (57.0.1.0 in the above diagram). The IPSec tunnel is on eth1. So without a routing table entry, leaf 1 would send traffic to 10.0.3.0 out on the public Internet instead of through the IPSec tunnel to hub 1. If route add doesn't help, how would I direct leaf 1 to send traffic through the tunnel?
If the ipsec gateway is not "in the path" of the default route, then yes, leaf1 machines
will need a route to point to the ipsec gateway instead of the default gateway. What I
meant was if you have one ipsec tunnel, you cannot just "route add" arbitrary networks
in it unless you build something evil like a 0/0 <-> 0/0 tunnel.
Paul
> I had already configured the sysctl.conf settings - I just double-checked:
>
> net.ipv4.conf.all.accept_redirects = 0
> net.ipv4.conf.all.send_redirects = 0
> net.ipv4.conf.default.accept_redirects = 0
> net.ipv4.conf.default.send_redirects = 0
>
>> -----Original Message-----
>> From: Paul Wouters [mailto:paul at xelerance.com]
>> Sent: Friday, November 18, 2011 8:41 AM
>> To: Kevin Keane (subscriptions)
>> Cc: users at openswan.org
>> Subject: Re: [Openswan Users] Multi-hop IPSec
>>
>> On Fri, 18 Nov 2011, Kevin Keane (subscriptions) wrote:
>>
>> You cannot "route add" into an ipsec tunnel. these tunnels have policy checks.
>>
>> Either you setup a subnet-0.0.0.0/0 from leaf to hub, so the other leaves are
>> covered in that tunnel, or you need to have seperate tunnels defined via the
>> hub, so subA-hub and subA-subB on each leaf (and hub)
>>
>> say:
>>
>> Leaf 1 hub leaf 2
>> 10.0.1.0/24 ------ 10.0.2.0/24 --------- 10.0.3.0/24
>>
>> Then on leaf one you need:
>>
>> conn tohub
>> leftsubnet=10.0.1.0/24
>> rightsubnet=10.0.2.0/24
>>
>> conn toleaf2
>> leftsubnet=10.0.1.0/24
>> rightsubnet=10.0.3.0/24
>>
>> You also need to exclude NAT from 10.0.1.0/24 to both 10.0.2.0/24 and
>> 10.0.3.0/24.
>>
>> And repet this on leaf2. And on hub ensure it can route from one tunnel into
>> the next, which with NETKEY can get tricky if this is the same physical interface.
>> Look at the sysctl.conf we ship as example to supress NETKEY from causing
>> bogus redirect ICMP packets.
>>
>> Paul
>>
>>> Date: Fri, 18 Nov 2011 07:11:23
>>> From: "Kevin Keane (subscriptions)" <subscription at kkeane.com>
>>> To: "users at openswan.org" <users at openswan.org>
>>> Subject: [Openswan Users] Multi-hop IPSec
>>> X-Spam-Flag: NO
>>>
>>> I would like to connect two sites with IPSec, and would like some help setting
>> it up correctly. Most everything works, except that the two private subnets
>> behind the gateways can't reach each other.
>>>
>>> All devices use openswan 2.6.21 on CentOS 5.7, except for a fairly new
>> Sonicwall device.
>>>
>>> Site 1 has an unencrypted 192.168.0.0 network behind a Sonicwall gateway.
>>>
>>> Site 2 consists of two computers in a data center. Each computer has two
>> NICs - one has a public IP address and connects to the Internet, the other
>> connects to a private network in a 10.1.2.0 network. The private network is
>> untrusted, so I am using IPSec over the 10.1.2.0 network to connect the two
>> servers. I also want to use one of these two computers as a gateway to an IPSec
>> connection to the Sonicwall.
>>>
>>> Individually, these two IPSec connections work without a problem. But traffic
>> from the non-gateway computer to the network behind the Sonicwall does not
>> work, even though IP forwarding is enabled.
>>>
>>> Here is a diagram:
>>>
>>> Server 1 public (eth0,57.6.7.8 - default GW) Server 1 private
>>> (eth1,10.1.2.17)
>>> ||
>>> Server 2 private (eth1,10.1.2.98)
>>> Server 2 public (eth0,57.3.4.5 - default GW) ===== Sonicwall gateway
>>> (68.6.7.8) ------ 192.168.0.0/24
>>>
>>> The connection between Server 2 and Sonicwall has
>>>
>>> Leftsubnets=10.1.2.98/32,10.1.2.17/32,57.3.4.5/32
>>> Rightsubnet=192.168.0.0/24
>>>
>>> The connection between Server 2 and Server 1 has
>>>
>>> Leftsubnet=10.1.2.98/32
>>> Rightsubnet=10.1.2.17/32
>>>
>>> I also added a route on Server 1: 192.168.0.0/24 via 10.1.2.98 dev
>>> eth1
>>>
>>> With this configuration, I can ping between Server 2 and 192.168.0.19. I
>> cannot ping between Server 1 and 192.168.0.19.
>>>
>>> Any idea about where I may have gone wrong would help!
>>>
>>> How would I go about troubleshooting this problem?
>>>
>>> Thanks!
>>>
>>>
>>> _______________________________________________
>>> Users at openswan.org
>>> http://lists.openswan.org/mailman/listinfo/users
>>> Micropayments:
>>> https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>>> Building and Integrating Virtual Private Networks with Openswan:
>>> http://www.amazon.com/gp/product/1904811256/104-3099591-
>> 2946327?n=283155
>>>
>
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
More information about the Users
mailing list