[Openswan Users] Questions around Hub and spoke config and routing using Draytek 28x series

[Daniel Cave]

Hi Giles,

Thank you for your reply. It would appear that from your mail, I've tried the same thing with regard to remote "more" routing option, which i presume is within the lan-to-lan profile, but unfortunately it does not seem to work and i do not see traffic being forwarded beyond the linux openswan gateway. I thought this was down to ip.forwarding  not being enable on the open/swan gw, which isn't the case and I  haven't been able to spend any more time diagnosing this further.

Draytek tell me that this "more" routing option only works between draytek devices and not third party router/vpn devices. In theory I believe it should work regardless but it seems this isn't going to be something I can fix quickly/myself unless I remove the 2820 device or try with a 2830 -  which presumably has differing firmware behaviour.

IF you feel you want to contact me directly via email /off topic about this I'd welcome any views/thoughts.

Regards
Dan

On 25 May 2012, at 17:38, Giles wrote:

> Hi,
> 
> I run a small company and interestingly am just putting in a set of 4
> Draytek routers all connected to an OpenSwan endpoint in our data centre. As
> there are relatively few Drayteks I have opted to mesh them together instead
> of using a hub/spoke arrangement. This also saves on bandwidth to the data
> centre.
> 
> I am using Vigor 2830Ns, and on those there is a "more" option in the VPN
> configuration which, according to the manual lets you "Add a static route to
> direct all traffic destined to more Remote Network IP Addresses/ Remote
> Network Mask through the VPN connection. This is usually used when you find
> there are several subnets behind the remote VPN router". This sounds like
> what you want - so looks like it's a feature Draytek added to the newer
> model.
> 
> My 4 Drayteks dial into the OpenSwan server, on which all profiles are set
> as "auto=route". I've not noticed them stop forwarding traffic although I do
> have the keepalive pings turned on from the Draytek end, and DPD enabled
> with a fairly low timeout on the OpenSwan end.
> 
> Hope that helps,
> Giles.
> 
>> -----Original Message-----
>> From: Daniel Cave [mailto:dan.cave at me.com]
>> Sent: 25 May 2012 15:35
>> To: Openswan List
>> Subject: [Openswan Users] Questions around Hub and spoke config and
>> routing using Draytek 28x series
>> 
>> Hi all
>> 
>> Firstly I would like to introduce myself, I'm an IT professional based in
> the
>> UK.. We have been using OpenSwan for a little while and My questions are
>> around inter-op.
>> 
>> We are moving towards using Openswan exclusively to connect third parties
>> and connecting to third party devices.
>> 
>> 
>> recently, I setup  central host hosted with my provider using OpenSwan2.6
>> using netkey..   I also connected to it via our office Draytek 2820n,
> which was
>> simple and easy enough. The routing was straight forward and we can do
>> simple things like monitoring and SNMP via the tunnel between the 'hub'
> and
>> office router .
>> 
>> A while later, I setup a 2nd node to another site, this was another linux
> host
>> using  2.6.32.6 [ stock centos 5.8]  with netkey also.
>> 
>> I wanted to route between this new node and our office via the hub, so i
>> setup the appropriate routes to send traffic to our office node (which is
>> terminated on the 2820n.)
>> 
>> However.. I discovered that the 2820n does not let me route traffic from
> the
>> office lan to the new 2nd host via the hub.  I raised a call with UK
> Draytek
>> support who told me this.
>> 
>> "Theserouters don't support IPSec SA(security association) for multiple IP
>> subnets
>> over  one  VPN  connection,  which  means data is dropped/blocked when
>> comes  from  non  associated  IP subnet/range( TCP/IP Network Settings "
>> 
>> You can imagine that I was pretty surprised to hear that - Is this the
> case with
>> Open Swan or is this draytek router a piece of crud ?  I've not had time
> to try
>> out a new hardware OpenSwan box at our office to initiate the tunnels..
>> 
>> Most of my experience has been with Cisco Pix/ASA with regard to Ipsec,
>> and Openswan a while back so my understanding is that this *should* work..
>> 
>> Can anyone make any comment or feedback about this..  I'm quite
>> disappointed that Draytek (support) seem very unhelpful and have made a
>> pretty good device but lacks this standard functionality - however it
> doesnt
>> surprise me.
>> 
>> My 2nd question is this.
>> 
>> I have noticed that between my two linux hosts ( and similarly between my
>> hub OpenSwan device and our office draytek)  when the tunnel and routes
>> appear to be up, sometimes no traffic passes over the tunnel, I have to
>> manually restart each tunnel instance on the left hand side and have
>> configured the ipsec config for each site left and right hand side
> respectively
>> to be '    auto=start'  however I'm my experience with Cisco ipsec is that
> both
>> endpoints are always up, if the tunnel drops for some reason, it
> automatically
>> restarts when routing traffic is required or triggered via connectivity
>> requests.
>> 
>> Is this normal behaviour or do I need to include some other directive in
> my
>> config to facilitate this ?
>> 
>> thanks in advance for any reply/feedback.
>> 
>> Regards
>> 
>> Dan.
>> 
>> _______________________________________________
>> Users at lists.openswan.org
>> https://lists.openswan.org/mailman/listinfo/users
>> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>> Building and Integrating Virtual Private Networks with Openswan:
>> http://www.amazon.com/gp/product/1904811256/104-3099591-
>> 2946327?n=283155
> 
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

Regards

Dan.