[Openswan Users] Questions around Hub and spoke config and routing using Draytek 28x series

Daniel Cave dan.cave at me.com
Fri May 25 10:35:03 EDT 2012

Hi all

Firstly I would like to introduce myself, I'm an IT professional based in the UK.. We have been using OpenSwan for a little while and My questions are around inter-op.

We are moving towards using Openswan exclusively to connect third parties and connecting to third party devices.

recently, I setup  central host hosted with my provider using OpenSwan2.6 using netkey..   I also connected to it via our office Draytek 2820n, which was simple and easy enough. The routing was straight forward and we can do simple things like monitoring and SNMP via the tunnel between the 'hub' and office router .

A while later, I setup a 2nd node to another site, this was another linux host using [ stock centos 5.8]  with netkey also. 

I wanted to route between this new node and our office via the hub, so i setup the appropriate routes to send traffic to our office node (which is terminated on the 2820n.)

However.. I discovered that the 2820n does not let me route traffic from the office lan to the new 2nd host via the hub.  I raised a call with UK Draytek support who told me this.

"Theserouters don't support IPSec SA(security association) for multiple IP subnets
over  one  VPN  connection,  which  means data is dropped/blocked when
comes  from  non  associated  IP subnet/range( TCP/IP Network Settings " 

You can imagine that I was pretty surprised to hear that - Is this the case with Open Swan or is this draytek router a piece of crud ?  I've not had time to try out a new hardware OpenSwan box at our office to initiate the tunnels..

Most of my experience has been with Cisco Pix/ASA with regard to Ipsec, and Openswan a while back so my understanding is that this *should* work..

Can anyone make any comment or feedback about this..  I'm quite disappointed that Draytek (support) seem very unhelpful and have made a pretty good device but lacks this standard functionality - however it doesnt surprise me.

My 2nd question is this.

I have noticed that between my two linux hosts ( and similarly between my hub OpenSwan device and our office draytek)  when the tunnel and routes appear to be up, sometimes no traffic passes over the tunnel, I have to manually restart each tunnel instance on the left hand side and have configured the ipsec config for each site left and right hand side respectively to be '    auto=start'  however I'm my experience with Cisco ipsec is that both endpoints are always up, if the tunnel drops for some reason, it automatically restarts when routing traffic is required or triggered via connectivity requests.

Is this normal behaviour or do I need to include some other directive in my config to facilitate this ?

thanks in advance for any reply/feedback.



More information about the Users mailing list