[Openswan Users] Site-to-site + OpenVPN

Neal Murphy neal.p.murphy at alum.wpi.edu
Wed May 8 23:47:24 UTC 2013


On Wednesday, May 08, 2013 06:39:05 PM Simon Deziel wrote:
> Hi,
> 
> On 13-05-08 05:13 PM, Neal Murphy wrote:
> > On Wednesday, May 08, 2013 04:02:34 PM Damir Reic wrote:
> >> Hello,
> >> 
> >> this is theoretical question:
> >> 
> >> Let's say i have 2 servers, intermediary server and destination openvpn
> >> server. If i establish site-to-site VPN with openswan between those 2
> >> servers, can i let's say use this tunnel to tunnel openvpn requests and
> >> whole openvpn traffic to destination server (both server have public
> >> IP).
> > 
> > It's not so theoretical. It's basically what certain governments and
> > militaries do (an encrypted tunnel in an encrypted tunnel using different
> > technologies); the same fault is not likely to be found in both.
> > 
> > I believe OpenVPN uses UDP packets (port 1194 by default); it's ordinary
> > IP traffic. If you set up IPSEC with the proper LAN addresses at each
> > end and use the private (or internal) server address, then it should
> > work. Don't configure OpenVPN to use the servers' public addresses, and
> > be sure to use different encryption algorithms.
> 
> I'd also recommend using transport mode instead of tunnel mode because
> of the lower overhead in terms of payload.

Good point. Hmmm. Do I understand correctly that tunnel mode encrypts the 
entire original packet and attaches a new header, whereas transport mode 
encrypts only the original packet's data but uses the original header? Does 
transport mode work when using private addresses?

Were it my system, I was going to the trouble of using tunnel-in-tunnel, and 
the overhead wasn't an issue, I'd want both tunnels to be fully encrypted. 
(I'm not a trusting sort.)

N


More information about the Users mailing list