[Openswan Users] Hub-and-Spoke routing

Mike C smith.not.western at gmail.com
Mon Feb 25 10:19:37 EST 2013


FYI, My pluto configuration was using the wrong subnet mask for the
spoke (/16, when it should have been /24). Changed that, and the ping
works as expected.

Regards,

Mike

On Mon, Feb 25, 2013 at 12:45 PM, Mike C <smith.not.western at gmail.com> wrote:
> Hi,
>
> I am trying to figure out if it is possible to perform a hub-and-spoke
> ipsec setup where the hub can route traffic between spokes. I.e.
> Situations where spokes are NAT'd but the Hub is not, so is reachable
> by all. I'm trying to get A to reach C via B: A->B->C. Using openswan
> 2.6.36, linux 2.6.32.60-grsec with klips.
>
> My attempts to do so locally have failed so far. I have:
>
> Spoke A: 192.168.20.0/24, WAN 1.1.1.1
> Hub     B: 192.168.18.0/24, WAN 2.2.2.2
> Spoke C: 192.168.88.0/24, WAN 3.3.3.3
>
> I created a VPN between the spokes and B using a /16 subnet so traffic
> for C will be routed over the VPN:
>  A-B: 192.168.20.0/24<-->192.168.0.0/16
>  C-B: 192.168.88.0/24<-->192.168.0.0/16
>
> A can ping B and B can ping A.
> C can ping B and B can ping C.
>
> I found the eroute list looked wrong on B (hub). Everything was going
> via the second route. So changed it from (public IPs masked):
>
> # /libexec/ipsec/eroute
> 0          192.168.0.0/16     -> 192.168.20.0/24    => tun0x1012 at 1.1.1.1
> 168        192.168.18.0/24    -> 192.168.0.0/16     => tun0x1001 at 3.3.3.3
>
> to:
>
> # /libexec/ipsec/eroute
> 84         192.168.0.0/16     -> 192.168.20.0/24    => tun0x1012 at 1.1.1.1
> 1103       192.168.0.0/16     -> 192.168.88.0/24    => tun0x1001 at 3.3.3.3
>
> When I try have A ping C, and run wireshark on C, I see no traffic. As
> far as I can see, the eroute counters on B don't increment at all
> whereas they did when doing direct A-B, C-B pings.
>
> Routing table for B:
>
> 2.2.2.1 dev ppp0  proto kernel  scope link  src 2.2.2.2
> 192.168.20.0/24 dev ipsec0  scope link  src 192.168.18.254
> 192.168.18.0/24 dev eth0  scope link  src 192.168.18.254
> 192.168.0.0/16 dev ipsec0  scope link  src 192.168.18.254
> 127.0.0.0/8 dev lo  scope link
> default via 2.2.2.1 dev ppp0  src 2.2.2.2
>
> Any ideas as to what is wrong, or if I'm barking up the wrong tree? If
> I'm on the wrong track, can you advise on possible alternatives that I
> could look into?
>
> Thanks,
>
> Mike


More information about the Users mailing list