[Openswan Users] Multiple sites with openswan

Nick Howitt nick at howitts.co.uk
Tue Jan 20 03:22:37 EST 2015 

With that set up each remote site is invisible to each other remote 
site.

There are soem things in the set up you won't want (plutodebug=all), 
probably don't need if Openswan is on your gateway device 
(nat_traversal=yes, 
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/16), 
don't need (compress=no), could do better (use aes or aes128 instead of 
3des or something even stronger if you want like aes256; sha1 instead of 
md5) and are wrong (left/rightsourceip should be the private IP of the 
gateway). If you don't use NAT traversal you also do not need to open 
udp port 4500 and you never need tcp:4500.

I am not convinced about NAT'ing the VPN as this is not normally 
recommended, but you would use a similar iptables rule with "-j ACCEPT" 
instead of "-j SNAT".

Check which subnets you want to use. The example gives a single public 
IP access to a whole LAN. It is more likely you will want a remote LAN 
IP or subnet to your LAN. That is just a matter of adjusting the 
left/rightsubnet.

Nick

On 2015-01-19 23:24, Patrick Naubert wrote:
> Rescued from the spam bucket. Please remember to subscribe to the
> mailing list before posting to it.
> 
>> DATE: January 19, 2015 at 6:00:26 PM GMT-5
>> 
>> SUBJECT: MULTIPLE SITES WITH OPENSWAN
>> 
>> FROM: TC Tobin-Campbell <tc at redoxengine.com>
>> 
>> TO: users at lists.openswan.org
>> 
>> Hi,
>> 
>> We're considering using openswan for VPN connections with health
>> systems. We have an application that sends and receives information
>> from health systems over VPN tunnels. We need to setup VPN
>> connections to each health system, but no information should pass
>> from health system to health system.
>> 
>> We're considering following the instructions here to set this up:
>> 
> http://xmodulo.com/create-site-to-site-ipsec-vpn-tunnel-openswan-linux.html
>> [1]
>> 
>> If we setup openswan on one server, with multiple vpn tunnels to
>> different sites, does that in any way give the sites access to each
>> other? In other words, could one health system access another health
>> system through our VPN setup, or is there a way to prevent that from
>> happening? Or do we need a separate server for each connection?
>> 
>> Thanks,
>> TC
> 
> 
> Links:
> ------
> [1] 
> http://xmodulo.com/create-site-to-site-ipsec-vpn-tunnel-openswan-linux.html
> 
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

More information about the Users mailing list