[Openswan Users] Questions around Hub and spoke config and routing using Draytek 28x series
n1ck.h0w1tt at gmail.com
Tue May 29 13:29:21 EDT 2012
When I tried it on my 2900 it made a complete mess of the conn and
neither the first subnet nor one of the "more" subnets worked. I've just
acquired a 2930 which I will deploy in a few weeks and I may try to see
if it, as a later machine, works but from what you say I don't hold out
On 29/05/2012 13:22, Daniel Cave wrote:
> Hi Giles,
> Thank you for your reply. It would appear that from your mail, I've tried the same thing with regard to remote "more" routing option, which i presume is within the lan-to-lan profile, but unfortunately it does not seem to work and i do not see traffic being forwarded beyond the linux openswan gateway. I thought this was down to ip.forwarding not being enable on the open/swan gw, which isn't the case and I haven't been able to spend any more time diagnosing this further.
> Draytek tell me that this "more" routing option only works between draytek devices and not third party router/vpn devices. In theory I believe it should work regardless but it seems this isn't going to be something I can fix quickly/myself unless I remove the 2820 device or try with a 2830 - which presumably has differing firmware behaviour.
> IF you feel you want to contact me directly via email /off topic about this I'd welcome any views/thoughts.
> On 25 May 2012, at 17:38, Giles wrote:
>> I run a small company and interestingly am just putting in a set of 4
>> Draytek routers all connected to an OpenSwan endpoint in our data centre. As
>> there are relatively few Drayteks I have opted to mesh them together instead
>> of using a hub/spoke arrangement. This also saves on bandwidth to the data
>> I am using Vigor 2830Ns, and on those there is a "more" option in the VPN
>> configuration which, according to the manual lets you "Add a static route to
>> direct all traffic destined to more Remote Network IP Addresses/ Remote
>> Network Mask through the VPN connection. This is usually used when you find
>> there are several subnets behind the remote VPN router". This sounds like
>> what you want - so looks like it's a feature Draytek added to the newer
>> My 4 Drayteks dial into the OpenSwan server, on which all profiles are set
>> as "auto=route". I've not noticed them stop forwarding traffic although I do
>> have the keepalive pings turned on from the Draytek end, and DPD enabled
>> with a fairly low timeout on the OpenSwan end.
>> Hope that helps,
>>> -----Original Message-----
>>> From: Daniel Cave [mailto:dan.cave at me.com]
>>> Sent: 25 May 2012 15:35
>>> To: Openswan List
>>> Subject: [Openswan Users] Questions around Hub and spoke config and
>>> routing using Draytek 28x series
>>> Hi all
>>> Firstly I would like to introduce myself, I'm an IT professional based in
>>> UK.. We have been using OpenSwan for a little while and My questions are
>>> around inter-op.
>>> We are moving towards using Openswan exclusively to connect third parties
>>> and connecting to third party devices.
>>> recently, I setup central host hosted with my provider using OpenSwan2.6
>>> using netkey.. I also connected to it via our office Draytek 2820n,
>> which was
>>> simple and easy enough. The routing was straight forward and we can do
>>> simple things like monitoring and SNMP via the tunnel between the 'hub'
>>> office router .
>>> A while later, I setup a 2nd node to another site, this was another linux
>>> using 184.108.40.206 [ stock centos 5.8] with netkey also.
>>> I wanted to route between this new node and our office via the hub, so i
>>> setup the appropriate routes to send traffic to our office node (which is
>>> terminated on the 2820n.)
>>> However.. I discovered that the 2820n does not let me route traffic from
>>> office lan to the new 2nd host via the hub. I raised a call with UK
>>> support who told me this.
>>> "Theserouters don't support IPSec SA(security association) for multiple IP
>>> over one VPN connection, which means data is dropped/blocked when
>>> comes from non associated IP subnet/range( TCP/IP Network Settings "
>>> You can imagine that I was pretty surprised to hear that - Is this the
>> case with
>>> Open Swan or is this draytek router a piece of crud ? I've not had time
>> to try
>>> out a new hardware OpenSwan box at our office to initiate the tunnels..
>>> Most of my experience has been with Cisco Pix/ASA with regard to Ipsec,
>>> and Openswan a while back so my understanding is that this *should* work..
>>> Can anyone make any comment or feedback about this.. I'm quite
>>> disappointed that Draytek (support) seem very unhelpful and have made a
>>> pretty good device but lacks this standard functionality - however it
>>> surprise me.
>>> My 2nd question is this.
>>> I have noticed that between my two linux hosts ( and similarly between my
>>> hub OpenSwan device and our office draytek) when the tunnel and routes
>>> appear to be up, sometimes no traffic passes over the tunnel, I have to
>>> manually restart each tunnel instance on the left hand side and have
>>> configured the ipsec config for each site left and right hand side
>>> to be ' auto=start' however I'm my experience with Cisco ipsec is that
>>> endpoints are always up, if the tunnel drops for some reason, it
>>> restarts when routing traffic is required or triggered via connectivity
>>> Is this normal behaviour or do I need to include some other directive in
>>> config to facilitate this ?
>>> thanks in advance for any reply/feedback.
>>> Users at lists.openswan.org
>>> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>>> Building and Integrating Virtual Private Networks with Openswan:
>> Users at lists.openswan.org
>> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>> Building and Integrating Virtual Private Networks with Openswan:
> Users at lists.openswan.org
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
More information about the Users