[Openswan Users] New OpenSwan User - Hub and Spoke questions

Willie Gillespie wgillespie+openswan at es2eng.com
Fri Oct 19 02:16:03 EDT 2012 

My notes and thoughts are inline below.

On 10/18/2012 11:19 PM, Ty Purcell wrote:
> 1. Spokes route all traffic through VPN Hub.
> 2. VPN Hub routes traffic from 10.1.y.0/24 to destination 10.1.x.0/24 net via proper VPN tunnel.
> 3. VPN hub routes traffic from 10.1.x.0/24 to internet when destination is public ip.
> 4. Should rightsourceip / leftsourceip be used?
Depends on if there is more than one IP assigned to the local machine. 
Openswan may have a hard time figuring out which IP address to use for 
itself when it wants to talk inside the tunnel.

> 5. What should the "left" value on the spoke be? the internal ip (ex. 10.1.1.1) or the public address?
Left and right should be set as things would be seen by the local 
machine.  Are you using NAT for the client?  If it's all public IPs, 
just always use the public IPs for left/right.
** If you are using NAT, then use a local IP for yourself and the public 
IP for the other side. **
Since you said the server had a public IP, then just use public IPs for 
both left and right on your server.  (If one side is dynamic, you'll 
have to use %any for the dynamic half.)

> 6. Does a virtual ip (private) get created on the server?  Currently running KLIPS ipsec0 gets assigned the public ip of the server.
No.

> -----------------------
> vpnconnection.conf - client
>
> conn VPN
>          type=tunnel
>          auto=add
>          left=10.1.1.1
Okay, so left in this conn is the client.  10.1.1.1 is the local IP. 
This looks correct.
>          leftsubnet=10.1.1.0/24
And will route the whole subnet through the tunnel.
>          #leftnexthop=%defaultroute
> 	#note public ip of GW
>          right=xxx.xxx.xxx.xxx
> 	#note - 0.0.0.0/0 to force routing of all traffic to Gateway
>          rightsubnet=0.0.0.0/0
On the other side of the tunnel is everything (0.0.0.0/0).  Looks fine.
>          #rightnexthop=%default
>          #ikev2=insist
>          #keyingtries=5
>          #rekeymargin=2m
>          authby=secret
>          pfs=no
Any particular reason you aren't enforcing PFS?
>          ike=aes-sha1;modp1024!
>          phase2alg=aes-sha1;modp1024
>          aggrmode=no
>
>
> -------------------------
>
> vpnconnection.conf - server
>
> conn VPN
>          type=tunnel
>          auto=add
> 	#Note: Public IP of GW
>          left=xxx.xxx.xxx.xxx
>          leftsubnet=10.250.250.0/24
Where does this subnet come from?
>          #leftnexthop=%defaultroute
>          right=10.1.1.1
So this should either be the public IP of the client, or if 10.1.1.1 is 
actually accessible by the server then it's fine as is.
>          rightsubnet=10.1.1.0/24
Subnets match, so it knows what to route
>          #rightnexthop=%default
>          #ikev2=insist
>          #keyingtries=5
>          #rekeymargin=2m
>          authby=secret
>          pfs=no
>          ike=aes-sha1;modp1024!
>          phase2alg=aes-sha1;modp1024
>          aggrmode=no


I'd be curious to see your log files after a connection attempt.  You 
are saying that part is working?  IPsec SA established?

Any packet filtering happening with iptables or similar?

More information about the Users mailing list