[Openswan Users] Hub-and-Spoke routing
Neal Murphy
neal.p.murphy at alum.wpi.edu
Mon Feb 25 17:05:16 EST 2013
On Monday, February 25, 2013 07:45:08 AM Mike C wrote:
> Any ideas as to what is wrong, or if I'm barking up the wrong tree? If
> I'm on the wrong track, can you advise on possible alternatives that I
> could look into?
Sinec you mention NAT, I assume A, B and C are firewalls.
As an illustration, if you have only one subnet each at sites A and C, you can
set up A and C with B's subnet as 0.0.0.0 (you may need 0.0.0.0/31 and
128.0.0.0/31 before a certain openswan release). This will force all non-local
traffic through the VPNs; hub B will route traffic for A and C through their
respective tunnels and send all other traffic to the internet.
Contrast that with setting up A-B with B's subnet including C's, and setting
up C-B with B's subnet including A's. Now only private traffic is routed
through the VPNs and all internet traffic goes through the nearest gateway.
As I said, it should illustrate the effect subnets have on IPSEC, even if it
doesn't exactly apply to your situation.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20130225/bbdfe751/attachment.html>
More information about the Users
mailing list