Alan Madill wrote:
Tom Eastep wrote:Tom Eastep wrote:Actually, that is a bit misleading. You only need one 'tunnel' from each site but you need additional SPD entries that make the site-to-site traffic go through the tunnel. I know how to do that using ipsec-tools and Racoon but not with openswan.Alan Madill wrote:You can't 'route' the traffic. You must add additional IPSEC tunnels to tunnel the forwarded traffic between your firewall and the remote gateways.Hi,I want to connect two satellite offices to a main office using openswan and ipsec vpn.SatSite1 --- Main --- SatSite2192.168.30.0/24 --- 1.1.1.1 --- 2.2.2.2 --- 192.168.20.0/24 --- 2.2.2.2 --- 3.3.3.3 --- 192.168.25.0/24 Where 1.1.1.1, 2.2.2.2, and 3.3.3.3 are the public ip addresses of the three sitesI have successfully got the VPNs working between the the two satellite sites and the main site but I can't figure out how to route traffic from one satellite site to the other.The lack of actual interfaces confuses me a bit. :-) What would the SPD entries look like? I should be able to RTM and do the same with openswan if I have an idea of what I'm trying to do.
OpenSwan's history is in the days when each IPSEC tunnel had it's own interface. Consequently, I think that people who try to use OpenSwan with PF_KEY tend to be confused before they even start. My $.02us
You need four additional SPD entries: Traffic from site1->site2 use tunnel from site1 to fw Traffic from site1->site2 use tunnel from fw to site2 Traffic from site2->site1 use tunnel from site2 to fw Traffic from site2->site1 use tunnel from fw to site1
Are there any special considerations for shorewall in adding the additional traffic?
Assuming that you already have site1 and site2 zones, just have ACCEPT policies for site1<->site2.
-Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don't miss this year's exciting event. There's still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
