[Openswan Users] Site-to-site + OpenVPN

Simon Deziel simon at xelerance.com
Thu May 9 13:52:54 UTC 2013


On 13-05-08 07:47 PM, Neal Murphy wrote:
> On Wednesday, May 08, 2013 06:39:05 PM Simon Deziel wrote:
>> Hi,
>>
>> On 13-05-08 05:13 PM, Neal Murphy wrote:
>>> On Wednesday, May 08, 2013 04:02:34 PM Damir Reic wrote:
>>>> Hello,
>>>>
>>>> this is theoretical question:
>>>>
>>>> Let's say i have 2 servers, intermediary server and destination openvpn
>>>> server. If i establish site-to-site VPN with openswan between those 2
>>>> servers, can i let's say use this tunnel to tunnel openvpn requests and
>>>> whole openvpn traffic to destination server (both server have public
>>>> IP).
>>>
>>> It's not so theoretical. It's basically what certain governments and
>>> militaries do (an encrypted tunnel in an encrypted tunnel using different
>>> technologies); the same fault is not likely to be found in both.
>>>
>>> I believe OpenVPN uses UDP packets (port 1194 by default); it's ordinary
>>> IP traffic. If you set up IPSEC with the proper LAN addresses at each
>>> end and use the private (or internal) server address, then it should
>>> work. Don't configure OpenVPN to use the servers' public addresses, and
>>> be sure to use different encryption algorithms.
>>
>> I'd also recommend using transport mode instead of tunnel mode because
>> of the lower overhead in terms of payload.
> 
> Good point. Hmmm. Do I understand correctly that tunnel mode encrypts the 
> entire original packet and attaches a new header, whereas transport mode 
> encrypts only the original packet's data but uses the original header?

Yes that's it. Cisco provides nice graphics showing the difference
(figure 3):
http://www.ciscopress.com/articles/article.asp?p=25477

> Does transport mode work when using private addresses?

No, transport mode requires public IPs on both sides as the IP header is
reused and the source/destination addresses are unaltered from the
original packet.


More information about the Users mailing list