[Openswan Users] Multi site from scratch config

Neal Murphy neal.p.murphy at alum.wpi.edu
Mon May 20 23:53:52 UTC 2013 

On Monday, May 20, 2013 07:07:45 PM Gary Smith wrote:
> Hello,
> 
> I'm writing this because I've run into a few road blocks and had issues
> with some of the configurations.  Sometimes what I have in place works for
> some nodes, other times it does not work at all.  All of my machines are
> virtualized (to include the VPN routers) and I'm looking to start from
> scratch.
> 
> So I'm looking for some advice, pointers, full config files (minus the keys
> of course) to setup the following:
> 
> I have 5 locations and they are:
> 
> A. Primary colo, ipv4, ipv6
>   1.1.1.0/24
>   10.40.0.0/16
> B. Backup virtual instance, ipv4, ipv6
>   2.2.2.2/32
>   10.160.0.0/24
> C. Office, DHCP ipv4, ipv6 over tunnel broker
>   10.80.0.0/24
> D. Home Office, DHCP ipv4, ipv6 over tunnel broker
>   10.80.1.0/24
> E. Home Office, DHCP ipv4, ipv6 over tunnel broker
>   10.80.2.0/24
> 
> ...
>
> Given that, what's the best approach for generating a brand new secure
> openswan network?

Need more data.
  - Post the internet-to-server equipment 'paths'; mostly, we need to know
    if/where there is NAT in the path.
  - What's the overall config; is it a star? full graph? Ring? (Most likely
    star, but it should be stated.)
  - Does each site need to access every other site?

Openswan generally just works. But it can be a bother until you figure out how 
to specify each private LAN so their traffic is allowed (grabbed and pushed) 
through the VPN(s).

Generally speaking (when traversing the internet; leased lines are different), 
left/right are always the public IP addresses, leftsourceip/rightsourceip are 
the private public-facing IPs behind NAT, and leftsubnet/rightsubnet are the 
LANs accessible from that endpoint. Also need to be certain that you are using 
the same encryption methods at each end. And be leery of compression.

Assuming a star config, the basic addressing should look like:

A-to-B
	left=1.1.1.1
	leftsubnet=10.40.0.0/16
	right=2.2.2.2
	rightsubnet=10.160.0.0/24

# Assume C has no NAT in the path
A-to-C
	left=1.1.1.1
	# These are the LANs reachable from A
	leftsubnet=10.40.0.0/16,10.160.0.0/24,10.80.1.0/24,10.80.2/24
	right=<public IP>
	# This is the LAN reachable from C
	rightsubnet=10.80.0.0/24

# Assume D *has* NAT in the path
A-to-D
	left=1.1.1.1
	# These are the LANs reachable from A
	leftsubnet=10.40.0.0/16,10.160.0.0/24,10.80.0.0/24,10.80.2/24
	right=<public IP>
	rightsourceip=<private internet-facing IP>
	# This is the LAN reachable from C
	rightsubnet=10.80.1.0/24
	# In left's config, since the NATted server must start the VPN
	start=add
	# In right's config, since it must start the conn
	start=auto

Note that either side can start A-to-D *IF* you forward ports 500 and 4500 to 
the internal server. Port 500 (and maybe 4500, unless The NAT is Linux and 
netfilter's IPSEC conntrack helper works) must be allowed out at site D.

Correct any mistakes I've made. This should get you started.

More information about the Users mailing list