[Openswan Users] Hub-Spoke Configuration

Jon Fox jon at sacredregion.com
Tue Mar 8 03:20:37 EST 2016


In retrospect, I spoke in haste, and error.

You do indeed need two connections, but they may not be immediately
apparent.  Simply having two connections, e.g. Spoke A Network <->
localnet, and Spoke B Network <-> localnet will not work, as ipsec does
not automagically route between existing connections.  This would
constitute a VPN security violation.  From what I remember, ipsec
connection entries are also security policies, consisting basically of:
"machine at Right IP agrees to exchange traffic with machine at Left IP
that consists of packets sourced from Right Network to Left Network".

Let me mention that I hate that "left" and "right" nomenclature is used
for both host (VPN concentrator) and subnet declarations, when (again,
if I'm remembering correctly), the left and right networks need not be
local to the left and right hosts.

So, you need one connection entry from Spoke Network A at Spoke Machine
A to Spoke Network B at Localnet Machine, and another connection entry
from Spoke Network B at Spoke Machine B to Spoke Network A at Localnet
Machine, in order for the spokes to talk to each other via your localnet
machine. 

If you already have functional connections from each spoke to your
localnet (which I'm guessing is true, and the source of your original
question), leave those in place if you want access to both spokes from
hosts within localnet

The above advice is dredging up memories from over a decade, so if my
memory is failing me, or if this is just plain outdated advice, then I
beg your forgiveness.  Also, I made a lot of assumptions - if I'm wayy
off base, you have my apologies.

Thanks,
-Jon

On 3/8/2016 1:29 AM, Jon Fox wrote:
>> I have two connection entries in the ipsec.conf
>
> I've done spoke-hub with ipsec in the distant past.
>
> IIRC, you need either one connection entry (spoke A-to-spoke B), or
> three connection entries (spoke A-to-spoke B, spoke A to localnet, and
> spoke B to localnet).  What exactly do you have configured for the
> left and right networks of your existing two(?) connections?
>
> -Jon
>
> On 3/7/2016 10:55 PM, Leonard Wood wrote:
>>
>> Hi Daniel,
>>
>>  
>>
>> Thanks for responding.  I have not received any replies, yet.  After
>> researching this extensively, I suspect my issue may be a result of
>> using the netkey protocol (default) vs klips.  I don’t think netkey
>> has the ability to route traffic between two local subnets.  I can
>> run tcpdump on the local openswan (hub) instance and see ICMP packets
>> coming in from the Spokes.
>>
>>  
>>
>> My thinking is because the entire payload and header are encrypted,
>> and without some mechanism (i.e., klips) to decipher it, the datagram
>> doesn’t know where to go once it reaches Openswan (Hub)
>>
>>  
>>
>> But I could be wrong.
>>
>>  
>>
>> Thanks,
>>
>>  
>>
>> Leonard
>>
>>  
>>
>> *From:*Daniel Cave [mailto:dan.cave at me.com]
>> *Sent:* Monday, March 07, 2016 12:47 PM
>> *To:* Leonard Wood
>> *Cc:* users at lists.openswan.org
>> *Subject:* Re: [Openswan Users] Hub-Spoke Configuration
>>
>>  
>>
>>
>> Hello Leonard 
>>
>>  
>>
>> Did you get any replies to this? 
>>
>>  
>>
>> I suspect you may be experiencing issues with firewall/security
>> group/rules issues 
>>
>>  
>>
>> Have you tried establishing hub to spoke end connectivity on each
>> side and end to end testing by connecting using netcat? 
>>
>>
>> Sent from my iPhone
>>
>>
>> On 2 Mar 2016, at 20:00, Leonard Wood <leonardw at ufl.edu> wrote:
>>
>>     Does anyone have any documentation on setting up a ‘hub and
>>     spoke’ configuration using Openswan?
>>
>>      
>>
>>     I have a scenario where I am connecting both Azure and AWS to a
>>     single Openswan instance using each prospective provider’s VPN
>>     gateway.  The tunnels come up and everything is fine with one
>>     exception.  Resources deployed in Azure cannot communicate with
>>     resources deployed in Aws, and vice versa.  Both can communicate
>>     with the Openswan instance, however.  The route tables are
>>     correctly setup in AWS and Azure so I am convinced its my
>>     configuration.
>>
>>      
>>
>>     I have two connection entries in the ipsec.conf
>>
>>      
>>
>>     (Spoke1) Azure = 172.16.0.0/23
>>
>>     (Spoke2) AWS = 10.10.10.0/23
>>
>>     Hub Network = Openswan = 192.168.1.0/24
>>
>>      
>>
>>     I am also using netkey for the protocol.
>>
>>      
>>
>>     Any help with getting nodes in spoke 1 to communicate with nodes
>>     in spoke 2 would be greatly appreciated!
>>
>>      
>>
>>      
>>
>>     _______________________________________________
>>     Users at lists.openswan.org <mailto:Users at lists.openswan.org>
>>     https://lists.openswan.org/mailman/listinfo/users
>>     Micropayments:
>>     https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>>     Building and Integrating Virtual Private Networks with Openswan:
>>     http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>>
>>
>>
>> _______________________________________________
>> Users at lists.openswan.org
>> https://lists.openswan.org/mailman/listinfo/users
>> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>> Building and Integrating Virtual Private Networks with Openswan:
>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
>
>
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20160308/327fe2a6/attachment.html>


More information about the Users mailing list