[Openswan Users] Multiple site-to-site tunnels from a single server

Daniel Cave dan.cave at me.com
Wed Nov 9 16:30:18 EST 2016 

In my experience the aws VPN GWs can be a bit problematic to set up because aws don't properly negotiate  with openswan and the documentation is a Bit lacking In detail as to how to make the two ends talk   Once it's working it's pretty stable 

I have got some docs at home I had for a setup between aws VPN gw and IPSec but using VyoS and VTi & bgp but as long as you set the openvpn side with just the PSK and us the Aws static IP config and NOT BGP Failover/VTI you should be ok

I also had openswan running on a t2.medium with a connection to a Cisco VPN concentrator using 3des-md5 which didn't work so I had to revert to aes-128 sha1 which was a pita as the Cisco didn't want to play ball with md5. 

I would advise against using the smaller T2 instance types because of the CPU credits and when the crypto traffic gets busy the processor goes nuts as the threshold is lower and the tunnel drops randomly

Hope that helps

Sent from my iPhone

> On 9 Nov 2016, at 20:48, Anton Zavrin <azavrin at myvest.com> wrote:
> 
> i would prefer AWS gateways to save on instance costs do you think it's doable ?
> 
>> On Wed, Nov 9, 2016 at 12:45 PM, Daniel Cave <dan.cave at me.com> wrote:
>> Yes that should work just as long as the site[A-Z] sub nets don't overlap. 
>> 
>> I did something similar to this a while ago 
>> 
>> Are you planning to use the aws VPN gateways or roll your own?
>> 
>> Sent from my iPhone
>> 
>>> On 9 Nov 2016, at 16:38, Anton Zavrin <azavrin at myvest.com> wrote:
>>> 
>>> multi-site SNMP based monitoring from a single polling engine.
>>> 
>>> MonitoringSolution0 --> tunnel1 -> SiteA (multi-zone subnets)
>>> MonitoringSolution0 --> tunnel2 -> SiteB (multi-zone subnets)
>>> :
>>> :
>>> MonitoringSolution0 --> tunnelX -> SiteX (multi-zone subnets)
>>> 
>>> This is AWS based implementation.
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>>> On Wed, Nov 9, 2016 at 8:31 AM, Daniel Cave <dan.cave at me.com> wrote:
>>>> Hi Anton 
>>>> 
>>>> In short to your question, you can build multiple lan to lan tunnels between two IPSec devices of which Openswan can be one of these 
>>>> 
>>>> What exactly are you trying to do ?
>>>> 
>>>> Sent from my iPhone
>>>> 
>>>>> On 9 Nov 2016, at 15:15, Anton Zavrin <azavrin at myvest.com> wrote:
>>>>> 
>>>>> Hello,
>>>>> 
>>>>> Does openswan support multiple site-to-site tunnels from a single server?
>>>>> If this can be done - can someone point me in right direction, such as an article?
>>>>> 
>>>>> Thank you
>>>>> 
>>>>> Confidentiality Notice and Disclaimer:  The information contained in this e-mail and any attachments, is not transmitted by secure means and may also be legally privileged and confidential.  If you are not an intended recipient, you are hereby notified that any dissemination, distribution, or copying of this e-mail is strictly prohibited.  If you have received this e-mail in error, please notify the sender and permanently delete the e-mail and any attachments immediately. You should not retain, copy or use this e-mail or any attachment for any purpose, nor disclose all or any part of the contents to any other person. MyVest Corporation, MyVest Advisors and their affiliates accept no responsibility for any unauthorized access and/or alteration or dissemination of this communication nor for any consequence based on or arising out of the use of information that may have been illegitimately accessed or altered.
>>>>> _______________________________________________
>>>>> Users at lists.openswan.org
>>>>> https://lists.openswan.org/mailman/listinfo/users
>>>>> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>>>>> Building and Integrating Virtual Private Networks with Openswan:
>>>>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>>> 
>>> 
>>> 
>>> -- 
>>> Anton Zavrin | MyVest
>>> 
>>> 500 Howard Street, Suite 425,  San Francisco, CA 94105
>>> 
>>> Office: 415.284.2770 | Fax: 415.369.9517
>>> 
>>> 
>>> Confidentiality Notice and Disclaimer:  The information contained in this e-mail and any attachments, is not transmitted by secure means and may also be legally privileged and confidential.  If you are not an intended recipient, you are hereby notified that any dissemination, distribution, or copying of this e-mail is strictly prohibited.  If you have received this e-mail in error, please notify the sender and permanently delete the e-mail and any attachments immediately. You should not retain, copy or use this e-mail or any attachment for any purpose, nor disclose all or any part of the contents to any other person. MyVest Corporation, MyVest Advisors and their affiliates accept no responsibility for any unauthorized access and/or alteration or dissemination of this communication nor for any consequence based on or arising out of the use of information that may have been illegitimately accessed or altered.
> 
> 
> 
> -- 
> Anton Zavrin | MyVest
> 
> 500 Howard Street, Suite 425,  San Francisco, CA 94105
> 
> Office: 415.284.2770 | Fax: 415.369.9517
> 
> 
> Confidentiality Notice and Disclaimer:  The information contained in this e-mail and any attachments, is not transmitted by secure means and may also be legally privileged and confidential.  If you are not an intended recipient, you are hereby notified that any dissemination, distribution, or copying of this e-mail is strictly prohibited.  If you have received this e-mail in error, please notify the sender and permanently delete the e-mail and any attachments immediately. You should not retain, copy or use this e-mail or any attachment for any purpose, nor disclose all or any part of the contents to any other person. MyVest Corporation, MyVest Advisors and their affiliates accept no responsibility for any unauthorized access and/or alteration or dissemination of this communication nor for any consequence based on or arising out of the use of information that may have been illegitimately accessed or altered.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20161109/fe26a63b/attachment.html>

More information about the Users mailing list