[Openswan Users] Send all internet traffic through VPN

[Neal Murphy]

Howdy!

I've some general questions about configuring openswan. I'm finally getting a 
decent mental image of how it seems to work. But before I go too much farther, 
I thought I'd inquire here about feasibilities and some sanity topics.

Generally, HUB-SITE-A is the main firewall with openswan that will control all 
internet traffic. REMOTE-SITE-B is a firewall with openswan and DNSMASQ that 
will send all of its internet traffic to site A. There are several remote 
sites. They are all interconnected with IPSEC VPNs.

While trying to get the remote-to-hub thing working, I added the subnet-to-
subnet conn (LAN-to-0.0.0.0/0) and most traffic was directed to site A, except 
for DNS which vanished inside ipsec0.

Whie I was first telling the bear (typing this), I realized I needed a host-
to-subnet to allow the locally-generated DNS request (from dnsmasq) through 
the VPN. So I hacked my script to auto-create this conn and it creates the 
subnet-to-subnet conn. Hacked the other end's ipsec.conf, restarted and 'Lo! 
it started working. But I don't know what else may be needed.

So, on to the questions. (Note that each of the several sites does have a 
unique private LAN.)

If one wants to be pedantic about traffic, should one add all four conn types 
(subnet-subnet, host-subnet, subnet-host, host-host) as a matter of principle? 
Are there security considerations when doing this if either end is a firewall 
or if both are?

If one has a mesh for internal traffic, will adding the hub-n-spoke (changing 
the conns to the hub to use 0.0.0.0/0 for the hub subnet) for internet traffic 
work? That is, will the internal traffic still traverse their VPNs while the 
internet traffic goes to the hub?

Is there a solid, lucid description somewhere on the 'net of the various 
ipsec.conf parameters and why/how they are used? If not, shall I write one? I 
have the opportunity to create a hub-n-spoke config to content-filter internet 
traffic on top of an existing full mesh for inter-site communication. Some of 
the sites are on cable/DSL; some of the sites are behind NAT via a T-1 
provider; some sites use smoothwall, some use sonicwall. At the moment, the 
full mesh is working and Win AD is replicating across the VPNs. The next task 
is to forward all the inernet traffic to the central site to be filtered.

Finally, related to the mesh and spoke setup, can I reasonably expect road 
warriors to work? Might I be better off segregating road warriors to openvpn?

Thanks!
Neal