[Openswan Users] Cross Site Connectivity

Fri Feb 26 14:30:36 EST 2016

Thanks Nick.

I will work on adjusting the subnets per your advice.

One item of clarification, are you suggesting that I need a 3rd conn entry in the ipsec.conf for Site C?

conn SiteA

leftsubnet = 10.10.0.0/16, rightsubnets = {192.168.1.0/24,172.16.0.0/24}

conn SiteB

leftsubnet = 172.16.0.0/24, rightsubnets = {192.168.1.0/24,10.10.0.0/16}

conn SiteC

??

From: Nick Howitt [mailto:nick at howitts.co.uk] 
Sent: Thursday, February 25, 2016 5:11 PM
To: Leonard Wood; users at lists.openswan.org
Subject: Re: [Openswan Users] Cross Site Connectivity

In that case I *think* you use the the following:
Site A:    leftsubnet = 10.10.0.0/16, rightsubnets = {192.168.1.0/24,172.16.0.0/24}

Site B,    leftsubnet = 172.16.0.0/24, rightsubnets = {192.168.1.0/24,10.10.0.0/16}

Site C 2 conns, has the reverse of the other two (or they can be the same but then it will be "right" in its conns)

If you have the chance to change subnets, also try to get C off 192.168.1.0/24. That and 192.168.0.0/24 are too common and can give you issues if you ever want roadwarriors to connect to it. You can also run into very hard to diagnose problems adding in other networking kit such as routers acting as WAP's.

Nick

Thank you for responding.  Site B subnet can change as it’s not required to be that large.  For example purposes, lets now assume Site B private subnet is 172.16.0.0/24.

Thanks!

From: Nick Howitt [mailto:nick at howitts.co.uk] 
Sent: Thursday, February 25, 2016 4:14 PM
To: Leonard Wood; users at lists.openswan.org
Subject: Re: [Openswan Users] Cross Site Connectivity

Hmm. Generally for VPN's subnets should not overlap at either end of the tunnel or the routing fails. Site B has a massive subnet, 10.0.0.0 - 10.255.255.255 (16,777,216 addresses). Unfortunately subnet A is entirely in Site B's subnet. Does site B need such a big subnet or can site B change to another subnet (either in the 172.16.0.0/12 range or 192.168.0.0/16 range but not 192.168.0.0/24 which is not a good subnet and is, in any case, being used at site C).

The problem you have is that site B sees 10.10.0.0/16 as local to itself so won't route traffic to Site A down the VPN.

Nick

On 25/02/2016 21:00, Leonard Wood wrote:

I have a single Openswan deployment (2.6.38/K4.2.0-27-generic) currently connected to two sites—Site A and Site B.  Let’s call my OpenSwan deployment Site C.

I need to have Site A private subnet communicate with Site B private subnet, and vice versa.

Site A Private Subnet = 10.10.0.0/16

Site B Private Subnet = 10.0.0.0/8

Site C Private Subnet = 192.168.1.0/24 (OpenSwan Deployment Subnet)

As of current, I can only communicate to/from Site A from Site C and I can only communicate to/from Site B from Site C. 

Any suggestions how to accomplish cross site connectivity so Site A and communicate with Site B through Site C and vice versa?

Secondly, do you see any security concerns with this approach? Could traffic be intercepted or read in plaintext from my OpenSwan instance (Site C) since it’s essentially acting as MITM?

Many thanks in advance!

Leo

_______________________________________________
Users at lists.openswan.org
https://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20160226/2a87ed06/attachment.html>