[Openswan Users] Hub-Spoke Configuration

Nick Howitt nick at howitts.co.uk
Tue Mar 8 03:25:29 EST 2016 

Hi Leonard,

You had a similar thread a couple of weeks ago (cross-site 
connectivity). Where did you get with the answers you received then?

Nick

On 2016-03-08 08:20, Jon Fox wrote:
> In retrospect, I spoke in haste, and error.
> 
>  You do indeed need two connections, but they may not be immediately
> apparent.  Simply having two connections, e.g. Spoke A Network <->
> localnet, and Spoke B Network <-> localnet will not work, as ipsec
> does not automagically route between existing connections.  This would
> constitute a VPN security violation.  From what I remember, ipsec
> connection entries are also security policies, consisting basically
> of: "machine at Right IP agrees to exchange traffic with machine at
> Left IP that consists of packets sourced from Right Network to Left
> Network".
> 
>  Let me mention that I hate that "left" and "right" nomenclature is
> used for both host (VPN concentrator) and subnet declarations, when
> (again, if I'm remembering correctly), the left and right networks
> need not be local to the left and right hosts.
> 
>  So, you need one connection entry from Spoke Network A at Spoke
> Machine A to Spoke Network B at Localnet Machine, and another
> connection entry from Spoke Network B at Spoke Machine B to Spoke
> Network A at Localnet Machine, in order for the spokes to talk to each
> other via your localnet machine.
> 
>  If you already have functional connections from each spoke to your
> localnet (which I'm guessing is true, and the source of your original
> question), leave those in place if you want access to both spokes from
> hosts within localnet
> 
>  The above advice is dredging up memories from over a decade, so if my
> memory is failing me, or if this is just plain outdated advice, then I
> beg your forgiveness.  Also, I made a lot of assumptions - if I'm wayy
> off base, you have my apologies.
> 
>  Thanks,
>  -Jon
> 
> On 3/8/2016 1:29 AM, Jon Fox wrote:
> 
>>> I have two connection entries in the ipsec.conf
>> 
>> I've done spoke-hub with ipsec in the distant past.
>> 
>> IIRC, you need either one connection entry (spoke A-to-spoke B), or
>> three connection entries (spoke A-to-spoke B, spoke A to localnet,
>> and spoke B to localnet). What exactly do you have configured for
>> the left and right networks of your existing two(?) connections?
>> 
>> -Jon
>> 
>> On 3/7/2016 10:55 PM, Leonard Wood wrote:
>> 
>> Hi Daniel,
>> 
>> Thanks for responding. I have not received any replies, yet. After
>> researching this extensively, I suspect my issue may be a result of
>> using the netkey protocol (default) vs klips. I don’t think
>> netkey has the ability to route traffic between two local subnets.
>> I can run tcpdump on the local openswan (hub) instance and see ICMP
>> packets coming in from the Spokes.
>> 
>> My thinking is because the entire payload and header are encrypted,
>> and without some mechanism (i.e., klips) to decipher it, the
>> datagram doesn’t know where to go once it reaches Openswan (Hub)
>> 
>> But I could be wrong.
>> 
>> Thanks,
>> 
>> Leonard
>> 
>> FROM: Daniel Cave [mailto:dan.cave at me.com]
>> SENT: Monday, March 07, 2016 12:47 PM
>> TO: Leonard Wood
>> CC: users at lists.openswan.org
>> SUBJECT: Re: [Openswan Users] Hub-Spoke Configuration
>> 
>> Hello Leonard
>> 
>> Did you get any replies to this?
>> 
>> I suspect you may be experiencing issues with firewall/security
>> group/rules issues
>> 
>> Have you tried establishing hub to spoke end connectivity on each
>> side and end to end testing by connecting using netcat?
>> 
>> Sent from my iPhone
>> 
>> On 2 Mar 2016, at 20:00, Leonard Wood <leonardw at ufl.edu> wrote:
>> 
>> Does anyone have any documentation on setting up a ‘hub and
>> spoke’ configuration using Openswan?
>> 
>> I have a scenario where I am connecting both Azure and AWS to a
>> single Openswan instance using each prospective provider’s VPN
>> gateway. The tunnels come up and everything is fine with one
>> exception. Resources deployed in Azure cannot communicate with
>> resources deployed in Aws, and vice versa. Both can communicate
>> with the Openswan instance, however. The route tables are correctly
>> setup in AWS and Azure so I am convinced its my configuration.
>> 
>> I have two connection entries in the ipsec.conf
>> 
>> (Spoke1) Azure = 172.16.0.0/23
>> 
>> (Spoke2) AWS = 10.10.10.0/23
>> 
>> Hub Network = Openswan = 192.168.1.0/24
>> 
>> I am also using netkey for the protocol.
>> 
>> Any help with getting nodes in spoke 1 to communicate with nodes in
>> spoke 2 would be greatly appreciated!
>> 
>> _______________________________________________
>> Users at lists.openswan.org
>> https://lists.openswan.org/mailman/listinfo/users [1]
>> Micropayments:
>> https://flattr.com/thing/38387/IPsec-for-Linux-made-easy [2]
>> Building and Integrating Virtual Private Networks with Openswan:
>> 
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>> [3]
>> 
>> _______________________________________________
>> Users at lists.openswan.org
>> https://lists.openswan.org/mailman/listinfo/users [1]
>> Micropayments:
>> https://flattr.com/thing/38387/IPsec-for-Linux-made-easy [2]
>> Building and Integrating Virtual Private Networks with Openswan:
>> 
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>> [3]
> 
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users [1]
> Micropayments:
> https://flattr.com/thing/38387/IPsec-for-Linux-made-easy [2]
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
> [3]
> 
> 
> 
> Links:
> ------
> [1] https://lists.openswan.org/mailman/listinfo/users
> [2] https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> [3] 
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
> 
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

More information about the Users mailing list