[Openswan Users] New OpenSwan User - Hub and Spoke questions

Ty Purcell tcp97b at yahoo.com
Fri Oct 19 01:19:48 EDT 2012 

Hi all,

I know the basic concepts of vpns, and over the last five days have been trying to soak up OpenSwan, but now I have some questions.  I am trying to setup a hub and spoke configuration with all spokes sending all traffic to the hub for routing to other spokes or to the internet as approptiate.  I have been able to get a tunnel up from one spoke to the hub, but haven't been able to get a ping back from the hub. The hub has only one interface, the public ip address.  

This is a basic outline of what I'm looking for and some questions I had from reading the mailing list archives.  

1. Spokes route all traffic through VPN Hub.
2. VPN Hub routes traffic from 10.1.y.0/24 to destination 10.1.x.0/24 net via proper VPN tunnel.
3. VPN hub routes traffic from 10.1.x.0/24 to internet when destination is public ip.
4. Should rightsourceip / leftsourceip be used?
5. What should the "left" value on the spoke be? the internal ip (ex. 10.1.1.1) or the public address?  
6. Does a virtual ip (private) get created on the server?  Currently running KLIPS ipsec0 gets assigned the public ip of the server. 

This is what I *think* I'm looking for:

                                    Internet
	       				|				   
10.1.1.0/24--10.1.1.1/%any--[PublicIP/VPNGateway]--%any/10.1.2.1--10.1.2.0/24
					
(hope that makes sense)


Notes on the configuration.  I am currently using KLIPS because the FW/Router that we will be using is running KLIPS. I am currently testing tunnels from a linux system. I don't know if I have to run KLIPS on the Gateway.  I can run NETKEY just as easy.  I also don't know what to use for left subnet on the gateway config since the GW has only one interface/ip the public one. I could only get the tunnel up by specifying a specific "right subnet" of 10.1.1.0/24.  Since I will have more that one spoke, how can I configure that? I tried 10.1.0.0/16, but the tunnel would not connect.   


Configs:
--------------------------

ipsec.conf - client and gateway

config setup
	dumpdir=/var/run/pluto/
	nat_traversal=yes
	virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
	oe=off
	protostack=klips
	interfaces=%defaultroute

include /etc/ipsec.d/*.conf


-----------------------
vpnconnection.conf - client

conn VPN
        type=tunnel     
        auto=add
        left=10.1.1.1
        leftsubnet=10.1.1.0/24
        #leftnexthop=%defaultroute
	#note public ip of GW
        right=xxx.xxx.xxx.xxx
	#note - 0.0.0.0/0 to force routing of all traffic to Gateway      
        rightsubnet=0.0.0.0/0     
        #rightnexthop=%default
        #ikev2=insist
        #keyingtries=5
        #rekeymargin=2m
        authby=secret
        pfs=no
        ike=aes-sha1;modp1024!
        phase2alg=aes-sha1;modp1024
        aggrmode=no


-------------------------

vpnconnection.conf - server

conn VPN
        type=tunnel     
        auto=add
	#Note: Public IP of GW
        left=xxx.xxx.xxx.xxx
        leftsubnet=10.250.250.0/24
        #leftnexthop=%defaultroute
        right=10.1.1.1
        rightsubnet=10.1.1.0/24
        #rightnexthop=%default
        #ikev2=insist
        #keyingtries=5
        #rekeymargin=2m
        authby=secret
        pfs=no
        ike=aes-sha1;modp1024!
        phase2alg=aes-sha1;modp1024
        aggrmode=no


I hope this makes sense.  Thank you in advance for any help.


Ty

More information about the Users mailing list