[Openswan Users] Questions around Hub and spoke config and routing using Draytek 28x series

Giles dev.first at digitalchild.co.uk
Fri May 25 12:38:39 EDT 2012


Hi,

I run a small company and interestingly am just putting in a set of 4
Draytek routers all connected to an OpenSwan endpoint in our data centre. As
there are relatively few Drayteks I have opted to mesh them together instead
of using a hub/spoke arrangement. This also saves on bandwidth to the data
centre.

I am using Vigor 2830Ns, and on those there is a "more" option in the VPN
configuration which, according to the manual lets you "Add a static route to
direct all traffic destined to more Remote Network IP Addresses/ Remote
Network Mask through the VPN connection. This is usually used when you find
there are several subnets behind the remote VPN router". This sounds like
what you want - so looks like it's a feature Draytek added to the newer
model.

My 4 Drayteks dial into the OpenSwan server, on which all profiles are set
as "auto=route". I've not noticed them stop forwarding traffic although I do
have the keepalive pings turned on from the Draytek end, and DPD enabled
with a fairly low timeout on the OpenSwan end.

Hope that helps,
Giles.

> -----Original Message-----
> From: Daniel Cave [mailto:dan.cave at me.com]
> Sent: 25 May 2012 15:35
> To: Openswan List
> Subject: [Openswan Users] Questions around Hub and spoke config and
> routing using Draytek 28x series
> 
> Hi all
> 
> Firstly I would like to introduce myself, I'm an IT professional based in
the
> UK.. We have been using OpenSwan for a little while and My questions are
> around inter-op.
> 
> We are moving towards using Openswan exclusively to connect third parties
> and connecting to third party devices.
> 
> 
> recently, I setup  central host hosted with my provider using OpenSwan2.6
> using netkey..   I also connected to it via our office Draytek 2820n,
which was
> simple and easy enough. The routing was straight forward and we can do
> simple things like monitoring and SNMP via the tunnel between the 'hub'
and
> office router .
> 
> A while later, I setup a 2nd node to another site, this was another linux
host
> using  2.6.32.6 [ stock centos 5.8]  with netkey also.
> 
> I wanted to route between this new node and our office via the hub, so i
> setup the appropriate routes to send traffic to our office node (which is
> terminated on the 2820n.)
> 
> However.. I discovered that the 2820n does not let me route traffic from
the
> office lan to the new 2nd host via the hub.  I raised a call with UK
Draytek
> support who told me this.
> 
> "Theserouters don't support IPSec SA(security association) for multiple IP
> subnets
> over  one  VPN  connection,  which  means data is dropped/blocked when
> comes  from  non  associated  IP subnet/range( TCP/IP Network Settings "
> 
> You can imagine that I was pretty surprised to hear that - Is this the
case with
> Open Swan or is this draytek router a piece of crud ?  I've not had time
to try
> out a new hardware OpenSwan box at our office to initiate the tunnels..
> 
> Most of my experience has been with Cisco Pix/ASA with regard to Ipsec,
> and Openswan a while back so my understanding is that this *should* work..
> 
> Can anyone make any comment or feedback about this..  I'm quite
> disappointed that Draytek (support) seem very unhelpful and have made a
> pretty good device but lacks this standard functionality - however it
doesnt
> surprise me.
> 
> My 2nd question is this.
> 
> I have noticed that between my two linux hosts ( and similarly between my
> hub OpenSwan device and our office draytek)  when the tunnel and routes
> appear to be up, sometimes no traffic passes over the tunnel, I have to
> manually restart each tunnel instance on the left hand side and have
> configured the ipsec config for each site left and right hand side
respectively
> to be '    auto=start'  however I'm my experience with Cisco ipsec is that
both
> endpoints are always up, if the tunnel drops for some reason, it
automatically
> restarts when routing traffic is required or triggered via connectivity
> requests.
> 
> Is this normal behaviour or do I need to include some other directive in
my
> config to facilitate this ?
> 
> thanks in advance for any reply/feedback.
> 
> Regards
> 
> Dan.
> 
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-
> 2946327?n=283155



More information about the Users mailing list