[Openswan Users] Questions around Hub and spoke config and routing using Draytek 28x series

Nick Howitt n1ck.h0w1tt at gmail.com
Tue May 29 13:29:21 EDT 2012


When I tried it on my 2900 it made a complete mess of the conn and 
neither the first subnet nor one of the "more" subnets worked. I've just 
acquired a 2930 which I will deploy in a few weeks and I may try to see 
if it, as a later machine, works but from what you say I don't hold out 
much hope.

Nick

On 29/05/2012 13:22, Daniel Cave wrote:
> Hi Giles,
>
> Thank you for your reply. It would appear that from your mail, I've tried the same thing with regard to remote "more" routing option, which i presume is within the lan-to-lan profile, but unfortunately it does not seem to work and i do not see traffic being forwarded beyond the linux openswan gateway. I thought this was down to ip.forwarding  not being enable on the open/swan gw, which isn't the case and I  haven't been able to spend any more time diagnosing this further.
>
> Draytek tell me that this "more" routing option only works between draytek devices and not third party router/vpn devices. In theory I believe it should work regardless but it seems this isn't going to be something I can fix quickly/myself unless I remove the 2820 device or try with a 2830 -  which presumably has differing firmware behaviour.
>
> IF you feel you want to contact me directly via email /off topic about this I'd welcome any views/thoughts.
>
> Regards
> Dan
>
> On 25 May 2012, at 17:38, Giles wrote:
>
>> Hi,
>>
>> I run a small company and interestingly am just putting in a set of 4
>> Draytek routers all connected to an OpenSwan endpoint in our data centre. As
>> there are relatively few Drayteks I have opted to mesh them together instead
>> of using a hub/spoke arrangement. This also saves on bandwidth to the data
>> centre.
>>
>> I am using Vigor 2830Ns, and on those there is a "more" option in the VPN
>> configuration which, according to the manual lets you "Add a static route to
>> direct all traffic destined to more Remote Network IP Addresses/ Remote
>> Network Mask through the VPN connection. This is usually used when you find
>> there are several subnets behind the remote VPN router". This sounds like
>> what you want - so looks like it's a feature Draytek added to the newer
>> model.
>>
>> My 4 Drayteks dial into the OpenSwan server, on which all profiles are set
>> as "auto=route". I've not noticed them stop forwarding traffic although I do
>> have the keepalive pings turned on from the Draytek end, and DPD enabled
>> with a fairly low timeout on the OpenSwan end.
>>
>> Hope that helps,
>> Giles.
>>
>>> -----Original Message-----
>>> From: Daniel Cave [mailto:dan.cave at me.com]
>>> Sent: 25 May 2012 15:35
>>> To: Openswan List
>>> Subject: [Openswan Users] Questions around Hub and spoke config and
>>> routing using Draytek 28x series
>>>
>>> Hi all
>>>
>>> Firstly I would like to introduce myself, I'm an IT professional based in
>> the
>>> UK.. We have been using OpenSwan for a little while and My questions are
>>> around inter-op.
>>>
>>> We are moving towards using Openswan exclusively to connect third parties
>>> and connecting to third party devices.
>>>
>>>
>>> recently, I setup  central host hosted with my provider using OpenSwan2.6
>>> using netkey..   I also connected to it via our office Draytek 2820n,
>> which was
>>> simple and easy enough. The routing was straight forward and we can do
>>> simple things like monitoring and SNMP via the tunnel between the 'hub'
>> and
>>> office router .
>>>
>>> A while later, I setup a 2nd node to another site, this was another linux
>> host
>>> using  2.6.32.6 [ stock centos 5.8]  with netkey also.
>>>
>>> I wanted to route between this new node and our office via the hub, so i
>>> setup the appropriate routes to send traffic to our office node (which is
>>> terminated on the 2820n.)
>>>
>>> However.. I discovered that the 2820n does not let me route traffic from
>> the
>>> office lan to the new 2nd host via the hub.  I raised a call with UK
>> Draytek
>>> support who told me this.
>>>
>>> "Theserouters don't support IPSec SA(security association) for multiple IP
>>> subnets
>>> over  one  VPN  connection,  which  means data is dropped/blocked when
>>> comes  from  non  associated  IP subnet/range( TCP/IP Network Settings "
>>>
>>> You can imagine that I was pretty surprised to hear that - Is this the
>> case with
>>> Open Swan or is this draytek router a piece of crud ?  I've not had time
>> to try
>>> out a new hardware OpenSwan box at our office to initiate the tunnels..
>>>
>>> Most of my experience has been with Cisco Pix/ASA with regard to Ipsec,
>>> and Openswan a while back so my understanding is that this *should* work..
>>>
>>> Can anyone make any comment or feedback about this..  I'm quite
>>> disappointed that Draytek (support) seem very unhelpful and have made a
>>> pretty good device but lacks this standard functionality - however it
>> doesnt
>>> surprise me.
>>>
>>> My 2nd question is this.
>>>
>>> I have noticed that between my two linux hosts ( and similarly between my
>>> hub OpenSwan device and our office draytek)  when the tunnel and routes
>>> appear to be up, sometimes no traffic passes over the tunnel, I have to
>>> manually restart each tunnel instance on the left hand side and have
>>> configured the ipsec config for each site left and right hand side
>> respectively
>>> to be '    auto=start'  however I'm my experience with Cisco ipsec is that
>> both
>>> endpoints are always up, if the tunnel drops for some reason, it
>> automatically
>>> restarts when routing traffic is required or triggered via connectivity
>>> requests.
>>>
>>> Is this normal behaviour or do I need to include some other directive in
>> my
>>> config to facilitate this ?
>>>
>>> thanks in advance for any reply/feedback.
>>>
>>> Regards
>>>
>>> Dan.
>>>
>>> _______________________________________________
>>> Users at lists.openswan.org
>>> https://lists.openswan.org/mailman/listinfo/users
>>> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>>> Building and Integrating Virtual Private Networks with Openswan:
>>> http://www.amazon.com/gp/product/1904811256/104-3099591-
>>> 2946327?n=283155
>> _______________________________________________
>> Users at lists.openswan.org
>> https://lists.openswan.org/mailman/listinfo/users
>> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>> Building and Integrating Virtual Private Networks with Openswan:
>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
> Regards
>
> Dan.
>
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155


More information about the Users mailing list