[Openswan Users] Multi site from scratch config

Gary Smith gary.smith at holdstead.com
Tue May 21 17:52:25 UTC 2013


> Need more data.
>   - Post the internet-to-server equipment 'paths'; mostly, we need to know
>     if/where there is NAT in the path.

All openswan servers will be on the perimeter firewalls.

>   - What's the overall config; is it a star? full graph? Ring? (Most likely
>     star, but it should be stated.)

Star
>   - Does each site need to access every other site?
> 

Generally, we prefer that there is complete access to/all sites.  One of the remote offices (mine) will get a dump of all of the backups (databases, etc) in any event, one of the remote sites will have to be accessible from A and B.

> Openswan generally just works. But it can be a bother until you figure out
> how to specify each private LAN so their traffic is allowed (grabbed and
> pushed) through the VPN(s).
> 
> Generally speaking (when traversing the internet; leased lines are
> different), left/right are always the public IP addresses,
> leftsourceip/rightsourceip are the private public-facing IPs behind NAT, and
> leftsubnet/rightsubnet are the LANs accessible from that endpoint. Also need
> to be certain that you are using the same encryption methods at each end.
> And be leery of compression.
> 
> Assuming a star config, the basic addressing should look like:
> 

Now, the only issue I have with the A-C configuration is that the remote offices are using DHCP through cheap lines (Comcast).

I'll get a better diagram png up on the net in a day or two and repost to give you a better idea.  

One other quick question though, I notice that stock RedHat/CentOS packages have some defaults in /etc/ipsec.conf that seem to different greatly from all of the samples that I have seen on the internet.  I have an okay understanding of how the conn properties work (I say okay, because there is probably something I could be doing better).  I think this is my biggest point of confusion.  

Anyway, thanks for the quick response, and I'll have some better diagrams and questions to go with those diagrams this week.





More information about the Users mailing list