Shorewall users - Apr 2008 - Routing to multiple sites with ipsec vpns

Hi,

I want to connect two satellite offices to a main office using openswan 
and ipsec vpn. 

SatSite1  ---  Main  ---  SatSite2
192.168.30.0/24 --- 1.1.1.1 --- 2.2.2.2 --- 192.168.20.0/24 --- 2.2.2.2 
--- 3.3.3.3 --- 192.168.25.0/24
Where 1.1.1.1, 2.2.2.2, and 3.3.3.3 are the public ip addresses of the 
three sites

I have successfully got the VPNs working between the the two satellite 
sites and the main site but I can''t figure out how to route traffic
from
one satellite site to the other.

 From host1 in  SatSite1 I can ping host2 in Main but not host3 in SatSite2
Host1 (192.168.30.X) can ping 192.168.20.X but can''t ping 192.168.25.X

Adding a route at either end gives an error message
ip route add 192.168.25.0/24 via 192.168.20.254
RTNETLINK answers: No such process

Even though I can ping the system
ping 192.168.20.254                           
PING 192.168.20.254 (192.168.20.254) 56(84) bytes of data.
64 bytes from 192.168.20.254: icmp_seq=1 ttl=64 time=49.6 ms

Routing table on SatSite1 router
1.1.1.0/24 dev eth1  proto kernel  scope link  src 1.1.1.1
192.168.20.0/24 via 1.1.1.254 dev eth1
192.168.30.0/24 dev eth0  proto kernel  scope link  src 192.168.30.254
169.254.0.0/16 dev eth1  scope link
default via 1.1.1.254 dev eth1

I could add yet another vpn from SatSite1 to SatSat2 but it doesn''t 
scale well.

ps, I know this is slightly off topic.  Any pointers would be helpful.  
Thanks



-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference 
Don''t miss this year''s exciting event. There''s still
time to save $100.
Use priority code J8TL2D2. 
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone

Alan Madill wrote:
> Hi,
> 
> I want to connect two satellite offices to a main office using openswan 
> and ipsec vpn. 
> 
> SatSite1  ---  Main  ---  SatSite2
> 192.168.30.0/24 --- 1.1.1.1 --- 2.2.2.2 --- 192.168.20.0/24 --- 2.2.2.2 
> --- 3.3.3.3 --- 192.168.25.0/24
> Where 1.1.1.1, 2.2.2.2, and 3.3.3.3 are the public ip addresses of the 
> three sites
> 
> I have successfully got the VPNs working between the the two satellite 
> sites and the main site but I can''t figure out how to route
traffic from
> one satellite site to the other.
You can''t ''route'' the traffic. You must add
additional IPSEC tunnels to
tunnel the forwarded traffic between your firewall and the remote gateways.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference 
Don''t miss this year''s exciting event. There''s still
time to save $100.
Use priority code J8TL2D2. 
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone

Tom Eastep wrote:
> Alan Madill wrote:
>> Hi,
>>
>> I want to connect two satellite offices to a main office using 
>> openswan and ipsec vpn.
>> SatSite1  ---  Main  ---  SatSite2
>> 192.168.30.0/24 --- 1.1.1.1 --- 2.2.2.2 --- 192.168.20.0/24 --- 
>> 2.2.2.2 --- 3.3.3.3 --- 192.168.25.0/24
>> Where 1.1.1.1, 2.2.2.2, and 3.3.3.3 are the public ip addresses of the 
>> three sites
>>
>> I have successfully got the VPNs working between the the two satellite 
>> sites and the main site but I can''t figure out how to route
traffic
>> from one satellite site to the other.
> 
> You can''t ''route'' the traffic. You must add
additional IPSEC tunnels to
> tunnel the forwarded traffic between your firewall and the remote gateways.
Actually, that is a bit misleading. You only need one ''tunnel''
from each
site but you need additional SPD entries that make the site-to-site traffic 
go through the tunnel. I know how to do that using ipsec-tools and Racoon 
but not with openswan.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference 
Don''t miss this year''s exciting event. There''s still
time to save $100.
Use priority code J8TL2D2. 
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone

Tom Eastep wrote:
> Tom Eastep wrote:
>> Alan Madill wrote:
>>> Hi,
>>>
>>> I want to connect two satellite offices to a main office using 
>>> openswan and ipsec vpn.
>>> SatSite1  ---  Main  ---  SatSite2
>>> 192.168.30.0/24 --- 1.1.1.1 --- 2.2.2.2 --- 192.168.20.0/24 --- 
>>> 2.2.2.2 --- 3.3.3.3 --- 192.168.25.0/24
>>> Where 1.1.1.1, 2.2.2.2, and 3.3.3.3 are the public ip addresses of 
>>> the three sites
>>>
>>> I have successfully got the VPNs working between the the two 
>>> satellite sites and the main site but I can''t figure out
how to
>>> route traffic from one satellite site to the other.
>>
>> You can''t ''route'' the traffic. You must add
additional IPSEC tunnels
>> to tunnel the forwarded traffic between your firewall and the remote 
>> gateways.
>
> Actually, that is a bit misleading. You only need one
''tunnel'' from
> each site but you need additional SPD entries that make the 
> site-to-site traffic go through the tunnel. I know how to do that 
> using ipsec-tools and Racoon but not with openswan.
The lack of actual interfaces confuses me a bit. :-)  What would the SPD 
entries look like?  I should be able to RTM and do the same with 
openswan if I have an idea of what I''m trying to do.

Are there any special considerations for shorewall in adding the 
additional traffic?

Thanks

-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference 
Don''t miss this year''s exciting event. There''s still
time to save $100.
Use priority code J8TL2D2. 
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone

Alan Madill wrote:
> 
> Tom Eastep wrote:
>> Tom Eastep wrote:
>>> Alan Madill wrote:
>>>> Hi,
>>>>
>>>> I want to connect two satellite offices to a main office using 
>>>> openswan and ipsec vpn.
>>>> SatSite1  ---  Main  ---  SatSite2
>>>> 192.168.30.0/24 --- 1.1.1.1 --- 2.2.2.2 --- 192.168.20.0/24 ---
>>>> 2.2.2.2 --- 3.3.3.3 --- 192.168.25.0/24
>>>> Where 1.1.1.1, 2.2.2.2, and 3.3.3.3 are the public ip addresses
of
>>>> the three sites
>>>>
>>>> I have successfully got the VPNs working between the the two 
>>>> satellite sites and the main site but I can''t figure
out how to
>>>> route traffic from one satellite site to the other.
>>> You can''t ''route'' the traffic. You must
add additional IPSEC tunnels
>>> to tunnel the forwarded traffic between your firewall and the
remote
>>> gateways.
>> Actually, that is a bit misleading. You only need one
''tunnel'' from
>> each site but you need additional SPD entries that make the 
>> site-to-site traffic go through the tunnel. I know how to do that 
>> using ipsec-tools and Racoon but not with openswan.
> 
> The lack of actual interfaces confuses me a bit. :-)  What would the SPD 
> entries look like?  I should be able to RTM and do the same with 
> openswan if I have an idea of what I''m trying to do.
OpenSwan''s history is in the days when each IPSEC tunnel had
it''s own
interface. Consequently, I think that people who try to use OpenSwan with 
PF_KEY tend to be confused before they even start. My $.02us

You need four additional SPD entries:

Traffic from site1->site2 use tunnel from site1 to fw
Traffic from site1->site2 use tunnel from fw to site2
Traffic from site2->site1 use tunnel from site2 to fw
Traffic from site2->site1 use tunnel from fw to site1
> 
> Are there any special considerations for shorewall in adding the 
> additional traffic?
Assuming that you already have site1 and site2 zones, just have ACCEPT 
policies for site1<->site2.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference 
Don''t miss this year''s exciting event. There''s still
time to save $100.
Use priority code J8TL2D2. 
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone

Tom Eastep wrote:
>
> 
> You need four additional SPD entries:
> 
> Traffic from site1->site2 use tunnel from site1 to fw
> Traffic from site1->site2 use tunnel from fw to site2
> Traffic from site2->site1 use tunnel from site2 to fw
> Traffic from site2->site1 use tunnel from fw to site1
>
But note that if you are clever, you should be able to handle an unlimited 
number of sites with just four policies.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference 
Don''t miss this year''s exciting event. There''s still
time to save $100.
Use priority code J8TL2D2. 
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone

Tom Eastep wrote:
>>You need four additional SPD entries:
>>
>>Traffic from site1->site2 use tunnel from site1 to fw
>>Traffic from site1->site2 use tunnel from fw to site2
>>Traffic from site2->site1 use tunnel from site2 to fw
>>Traffic from site2->site1 use tunnel from fw to site1
>>
>
>But note that if you are clever, you should be able to handle an 
>unlimited number of sites with just four policies.
I believe a common trick is to configure each remote site to use, not 
just the hubs'' local subnet, but a whole block, as the target of the 
VPN tunnel. Eg :

site1 -> hub
target 192.168.0.0/16

site2 -> hub
target 192.168.0.0/16

hub -> site1
target 192.168.25.0/24

etc

That way, there is only one ''rule'' at site 1 which sends all
traffic
(except it''s own local subnet) for the 192.168.0.0/16 block to the 
hub. The hub then re-distributes the traffic as required. It''s easily 
scalable as you don''t need to modify any sites (apart from the hub) 
as you add or remove other sites.

Obviously, the two ends of each tunnel have to match.

Apologies for the ''vague'' terminology, but I''ve only
done this with
''appliance'' routers from manufacturers that use their own
versions of
the dictionary !

-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference 
Don''t miss this year''s exciting event. There''s still
time to save $100.
Use priority code J8TL2D2. 
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone

Tom Eastep wrote:
> Alan Madill wrote:
>>
>> Tom Eastep wrote:
>>> Tom Eastep wrote:
>>>> Alan Madill wrote:
>>>>> Hi,
>>>>>
>>>>> I want to connect two satellite offices to a main office
using
>>>>> openswan and ipsec vpn.
>>>>> SatSite1  ---  Main  ---  SatSite2
>>>>> 192.168.30.0/24 --- 1.1.1.1 --- 2.2.2.2 --- 192.168.20.0/24
---
>>>>> 2.2.2.2 --- 3.3.3.3 --- 192.168.25.0/24
>>>>> Where 1.1.1.1, 2.2.2.2, and 3.3.3.3 are the public ip
addresses of
>>>>> the three sites
>>>>>
>>>>> I have successfully got the VPNs working between the the
two
>>>>> satellite sites and the main site but I can''t
figure out how to
>>>>> route traffic from one satellite site to the other.
>>>> You can''t ''route'' the traffic. You
must add additional IPSEC
>>>> tunnels to tunnel the forwarded traffic between your firewall
and
>>>> the remote gateways.
>>> Actually, that is a bit misleading. You only need one
''tunnel'' from
>>> each site but you need additional SPD entries that make the 
>>> site-to-site traffic go through the tunnel. I know how to do that 
>>> using ipsec-tools and Racoon but not with openswan.
>>
>> The lack of actual interfaces confuses me a bit. :-)  What would the 
>> SPD entries look like?  I should be able to RTM and do the same with 
>> openswan if I have an idea of what I''m trying to do.
>
> OpenSwan''s history is in the days when each IPSEC tunnel had
it''s own
> interface. Consequently, I think that people who try to use OpenSwan 
> with PF_KEY tend to be confused before they even start. My $.02us
>
> You need four additional SPD entries:
>
> Traffic from site1->site2 use tunnel from site1 to fw
> Traffic from site1->site2 use tunnel from fw to site2
> Traffic from site2->site1 use tunnel from site2 to fw
> Traffic from site2->site1 use tunnel from fw to site1
>
This thread on the openswan list should be helpful.
http://lists.openswan.org/pipermail/users/2008-March/014288.html
>>
>> Are there any special considerations for shorewall in adding the 
>> additional traffic?
>
> Assuming that you already have site1 and site2 zones, just have ACCEPT 
> policies for site1<->site2.
As it is now I just have one zone named vpn with both sites in it.  Do I 
need to set up separate zones or will an policy like
vpn   vpn   ACCEPT
work?
>
> -Tom
> ------------------------------------------------------------------------
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by the 2008 JavaOne(SM) Conference 
> Don''t miss this year''s exciting event. There''s
still time to save $100.
> Use priority code J8TL2D2. 
>
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
> ------------------------------------------------------------------------
>
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>   
> ------------------------------------------------------------------------
>
> No virus found in this incoming message.
> Checked by AVG. 
> Version: 7.5.524 / Virus Database: 269.22.13/1378 - Release Date: 4/15/2008
9:12 AM
>   
-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference 
Don''t miss this year''s exciting event. There''s still
time to save $100.
Use priority code J8TL2D2. 
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone

Alan Madill wrote:
> 
> As it is now I just have one zone named vpn with both sites in it.  Do I 
> need to set up separate zones or will an policy like
> vpn   vpn   ACCEPT
> work?
That''s the default -- you need do nothing.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference 
Don''t miss this year''s exciting event. There''s still
time to save $100.
Use priority code J8TL2D2. 
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone