Tom Eastep wrote: > Alan Madill wrote: >> >> Tom Eastep wrote: >>> Tom Eastep wrote: >>>> Alan Madill wrote: >>>>> Hi, >>>>> >>>>> I want to connect two satellite offices to a main office using >>>>> openswan and ipsec vpn. >>>>> SatSite1 --- Main --- SatSite2 >>>>> 192.168.30.0/24 --- 1.1.1.1 --- 2.2.2.2 --- 192.168.20.0/24 --- >>>>> 2.2.2.2 --- 3.3.3.3 --- 192.168.25.0/24 >>>>> Where 1.1.1.1, 2.2.2.2, and 3.3.3.3 are the public ip addresses of >>>>> the three sites >>>>> >>>>> I have successfully got the VPNs working between the the two >>>>> satellite sites and the main site but I can't figure out how to >>>>> route traffic from one satellite site to the other. >>>> You can't 'route' the traffic. You must add additional IPSEC >>>> tunnels to tunnel the forwarded traffic between your firewall and >>>> the remote gateways. >>> Actually, that is a bit misleading. You only need one 'tunnel' from >>> each site but you need additional SPD entries that make the >>> site-to-site traffic go through the tunnel. I know how to do that >>> using ipsec-tools and Racoon but not with openswan. >> >> The lack of actual interfaces confuses me a bit. :-) What would the >> SPD entries look like? I should be able to RTM and do the same with >> openswan if I have an idea of what I'm trying to do. > > OpenSwan's history is in the days when each IPSEC tunnel had it's own > interface. Consequently, I think that people who try to use OpenSwan > with PF_KEY tend to be confused before they even start. My $.02us > > You need four additional SPD entries: > > Traffic from site1->site2 use tunnel from site1 to fw > Traffic from site1->site2 use tunnel from fw to site2 > Traffic from site2->site1 use tunnel from site2 to fw > Traffic from site2->site1 use tunnel from fw to site1 >
This thread on the openswan list should be helpful. http://lists.openswan.org/pipermail/users/2008-March/014288.html >> >> Are there any special considerations for shorewall in adding the >> additional traffic? > > Assuming that you already have site1 and site2 zones, just have ACCEPT > policies for site1<->site2. As it is now I just have one zone named vpn with both sites in it. Do I need to set up separate zones or will an policy like vpn vpn ACCEPT work? > > -Tom > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------- > This SF.net email is sponsored by the 2008 JavaOne(SM) Conference > Don't miss this year's exciting event. There's still time to save $100. > Use priority code J8TL2D2. > http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone > ------------------------------------------------------------------------ > > _______________________________________________ > Shorewall-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > ------------------------------------------------------------------------ > > No virus found in this incoming message. > Checked by AVG. > Version: 7.5.524 / Virus Database: 269.22.13/1378 - Release Date: 4/15/2008 > 9:12 AM > ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don't miss this year's exciting event. There's still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
