[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openswan-users
Subject:    Re: [Openswan Users] Multi site from scratch config
From:       Gary Smith <gary.smith () holdstead ! com>
Date:       2013-05-21 17:52:25
Message-ID: 034DEBCAE934A74991E6E76B8DA72D148784C67EDC () HSSBS ! holdstead ! local
[Download RAW message or body]

> Need more data.
> - Post the internet-to-server equipment 'paths'; mostly, we need to know
> if/where there is NAT in the path.

All openswan servers will be on the perimeter firewalls.

> - What's the overall config; is it a star? full graph? Ring? (Most likely
> star, but it should be stated.)

Star
> - Does each site need to access every other site?
> 

Generally, we prefer that there is complete access to/all sites.  One of the remote \
offices (mine) will get a dump of all of the backups (databases, etc) in any event, \
one of the remote sites will have to be accessible from A and B.

> Openswan generally just works. But it can be a bother until you figure out
> how to specify each private LAN so their traffic is allowed (grabbed and
> pushed) through the VPN(s).
> 
> Generally speaking (when traversing the internet; leased lines are
> different), left/right are always the public IP addresses,
> leftsourceip/rightsourceip are the private public-facing IPs behind NAT, and
> leftsubnet/rightsubnet are the LANs accessible from that endpoint. Also need
> to be certain that you are using the same encryption methods at each end.
> And be leery of compression.
> 
> Assuming a star config, the basic addressing should look like:
> 

Now, the only issue I have with the A-C configuration is that the remote offices are \
using DHCP through cheap lines (Comcast).

I'll get a better diagram png up on the net in a day or two and repost to give you a \
better idea.  

One other quick question though, I notice that stock RedHat/CentOS packages have some \
defaults in /etc/ipsec.conf that seem to different greatly from all of the samples \
that I have seen on the internet.  I have an okay understanding of how the conn \
properties work (I say okay, because there is probably something I could be doing \
better).  I think this is my biggest point of confusion.  

Anyway, thanks for the quick response, and I'll have some better diagrams and \
questions to go with those diagrams this week.


[prev in list] [next in list] [prev in thread] [next in thread]