[Openswan Users] Simplifying transport mode setup between multiple hosts?

Alexander Valys avalys at avalys.net
Tue Mar 3 22:09:16 EST 2015

I have about 10 hosts that must communicate securely amongst themselves over an unsecured network.  Multiple applications and protocols are involved, so IPsec transport / host-to-host mode seems the perfect solution that is transparent to the rest of the OS and applications.  

I have gotten it working under Ubuntu 12.04 LTS, but the configuration is quite a mess: I am using PSK authentication, and it simple enough to distribute the key amongst all the computers, but setting up the IPsec connections is a hassle.  There is no hierarchical client-server relationship between all the machines - they are all peers - so for each machine, it seems I need to define a separate connection in ipsec.conf or ipsec.d involving the specific IP of each of the other 9 hosts.

It is a pain to keep the left/right arrangements consistent between all the machines and files (there are obviously 100 separate possible connections), and obviously if I had an 11th machine, I will have to go and create a new connection on all 10 other machines.    

Is there a better way to do this that is less brittle and manual?  Either an alternate means of IPsec configuration, or an alternative to transport mode that is still transparent to applications?


Alex Valys

More information about the Users mailing list