[Openswan Users] Questions around Hub and spoke config and routing using Draytek 28x series

[Roel van Meer]

Daniel wrote:

> [...]
> recently, I setup  central host hosted with my provider using OpenSwan2.6
> using netkey..   I also connected to it via our office Draytek 2820n,
> which was simple and easy enough. The routing was straight forward and we 
> can do simple things like monitoring and SNMP via the tunnel between the 
> 'hub' and office router .

> A while later, I setup a 2nd node to another site, this was another linux
> host using  2.6.32.6 [ stock centos 5.8]  with netkey also.

> I wanted to route between this new node and our office via the hub, so i
> setup the appropriate routes to send traffic to our office node (which is
> terminated on the 2820n.)

> However.. I discovered that the 2820n does not let me route traffic from
> the office lan to the new 2nd host via the hub.  I raised a call with UK
> Draytek support who told me this.

Hi Dan,

we implemented a hub/spoke solution with openswan and drayteks by defining a 
large network on the openswan hub (say 10.0.0.0/8) and small networks on the 
draytek spokes (10.x.y.0/24 or smaller). This way, all the drayteks will 
route traffic for all other spokes to the hub, since it is included in the 
tunnel definition. The openswan box will then happily route traffic coming 
from one node back to any other. This works perfectly, even with many nodes.

For networks outside this range I have always created a second tunnel 
definition in both the draytek and openswan. I've never been able to get the 
'more' option of the drayteks working (although that might be my own fault; 
it was some time ago that I tried and I didn't try very hard.)

Maybe this helps you,

Best regards,

Roel