[Openswan Users] openswan with several raven-xe 3G routers

[Luke Leighton]

hi folks, i have an interesting setup that i'm slightly struggling to
get my head round, and would greatly appreciate some advice.  the
setup we're aiming for is to have *multiple* raven-xe 3G routers,
where at the very least we will be able, in the office, to gain access
to all devices connected on the subnet(s) of the raven-xe routers.  we
are using a machine that's on the public internet, co-lo hosted, as
the coordinating machine.  it has *one* public-facing interface: it
does *not* have two sets of ethernet ports and we will need to use a
VPN ourselves in order to make that machine appear to be in our office
network.

the test-config is as follows, and it works:

version 2.0

config setup
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!colosubnetaddress/24,%v4:!10.8.0.0/24,%v4:!10.11.12.0/24
        oe=off
        protostack=auto

conn sample
        authby=secret
        keyexchange=ike
        left=publicipaddress
        leftsubnet=10.11.12.0/24
        leftnexthop=10.11.12.1
        leftupdown=/usr/local/bin/ipsec-updown.sh
        right=%any
        rightsubnet=192.168.13.0/24
        rightnexthop=192.168.13.31
        auto=add

this is what /usr/local/bin/ipsec-updown.sh contains:
#!/bin/sh

/usr/lib/ipsec/_updown $*

if [ "$PLUTO_VERB" = "route-host" -o "$PLUTO_VERB" = "unroute-client" ]; then
        /sbin/ip route add "$PLUTO_PEER_CLIENT" dev tap0
fi

if [ "$PLUTO_VERB" = "unroute-host" -o "$PLUTO_VERB" = "unroute-client" ]; then
        /sbin/ip route del "$PLUTO_PEER_CLIENT"
fi

and /etc/network/interfaces is:
auto tap0
iface tap0 inet static
        pre-up tunctl -t tap0
        address 10.11.12.1
        netmask 255.255.255.0
        #gateway 10.11.12.1


the reason for creating the fake network (with tap0) is because the
server is, obviously, on the public internet and has only one ethernet
port.  if i were to drop the traffic onto that "real" ethernet port,
by way of "borrowing" some of the public address range, the ISP is
going to get a bit unhappy.  there isn't a 2nd ethernet port so i
can't drop the traffic onto that; ergo, logically, i have to create
something and because this is entirely virtual it might as well be a
tun or tap.

the bit that i'm having some difficulty getting my head round is the
laborious way that it looks like this has to be done:

office network:
* join to e.g. 10.11.10.0/24 on a fake tap.

network 0:

* raven 0 - set it up so that its internal network is 192.168.13.0/24
* tap0- - set it up as 10.11.12.0/1 with a fake "router" of 10.11.12.1
* set up network 0 to connect the two
* have routing added on the server (ipsec-updown.sh) so that any
traffice from {officenet} can get to 192.168.13.0/24

network 1:

* raven 1 - set it up so that its internal network is 192.168.14.0/24
* tap1- - set it up as 10.11.13.0/1 with a fake "router" of 10.11.13.1
* set up network 1 to connect the two
* have routing added on the server (ipsec-updown.sh) so that any
traffice from {officenet} can get to 192.168.14.0/24

repeat, repeat, repeat, repeat.

as there may be something like 20 of these throughout the world (one
per engineer) or potentially even a thousand of them if we ever decide
to put the ravens into our kit pre-shipped, that is a hell of a lot of
configuring of openswan, and a hell of a lot of fake subnets.

so my question is: is there an easier way to do this?  are we
basically looking at a mini version of the internet and should we be
considering using oh i dunno.... quagga, babel or anything funny like
that?  bear in mind that we can't replace the firmware on the raven
xe, but we may be able to put further kit on the subnet which could do
yet more fancy stuff but it's something we'd like to avoid as it's
complicated enough as it is.

any advice greatly appreciated.

l.