[Openswan Users] Send all internet traffic through VPN
neal.p.murphy at alum.wpi.edu
Tue Oct 11 18:40:10 EDT 2011
I've some general questions about configuring openswan. I'm finally getting a
decent mental image of how it seems to work. But before I go too much farther,
I thought I'd inquire here about feasibilities and some sanity topics.
Generally, HUB-SITE-A is the main firewall with openswan that will control all
internet traffic. REMOTE-SITE-B is a firewall with openswan and DNSMASQ that
will send all of its internet traffic to site A. There are several remote
sites. They are all interconnected with IPSEC VPNs.
While trying to get the remote-to-hub thing working, I added the subnet-to-
subnet conn (LAN-to-0.0.0.0/0) and most traffic was directed to site A, except
for DNS which vanished inside ipsec0.
Whie I was first telling the bear (typing this), I realized I needed a host-
to-subnet to allow the locally-generated DNS request (from dnsmasq) through
the VPN. So I hacked my script to auto-create this conn and it creates the
subnet-to-subnet conn. Hacked the other end's ipsec.conf, restarted and 'Lo!
it started working. But I don't know what else may be needed.
So, on to the questions. (Note that each of the several sites does have a
unique private LAN.)
If one wants to be pedantic about traffic, should one add all four conn types
(subnet-subnet, host-subnet, subnet-host, host-host) as a matter of principle?
Are there security considerations when doing this if either end is a firewall
or if both are?
If one has a mesh for internal traffic, will adding the hub-n-spoke (changing
the conns to the hub to use 0.0.0.0/0 for the hub subnet) for internet traffic
work? That is, will the internal traffic still traverse their VPNs while the
internet traffic goes to the hub?
Is there a solid, lucid description somewhere on the 'net of the various
ipsec.conf parameters and why/how they are used? If not, shall I write one? I
have the opportunity to create a hub-n-spoke config to content-filter internet
traffic on top of an existing full mesh for inter-site communication. Some of
the sites are on cable/DSL; some of the sites are behind NAT via a T-1
provider; some sites use smoothwall, some use sonicwall. At the moment, the
full mesh is working and Win AD is replicating across the VPNs. The next task
is to forward all the inernet traffic to the central site to be filtered.
Finally, related to the mesh and spoke setup, can I reasonably expect road
warriors to work? Might I be better off segregating road warriors to openvpn?
More information about the Users