Koozali.org: home of the SME Server
Legacy Forums => Experienced User Forum => Topic started by: Lazo on May 08, 2002, 09:39:12 PM
-
I have read that freeswan works between two e-smith servers, but could it be modified to work between four e-smith!!
The Idea is to connect all the remote offices to ours, the main office and the three remote ones, could this be done or I have to look foward to a hardware solution?
Thanks
-
Lazo wrote:
>
> I have read that freeswan works between two e-smith servers,
> but could it be modified to work between four e-smith!!
>
> The Idea is to connect all the remote offices to ours, the
> main office and the three remote ones, could this be done or
> I have to look foward to a hardware solution?
>
> Thanks
This is a better question for the FreeS/WAN list, but here's my 2 cents.
From a FreeS/WAN config standpoint (I use it on a seperate firewall, not with SME as a gateway) the typical way to do this is to create a web of connections between each site that needs to talk. It's not as bad a maintenance nightmare as you would expect since all 4 servers can have the same ipsec.conf listing all connections. You might need to comment out the auto= lines for the connections that don't apply on each box, but I don't think so.
To do the spokes to a hub model, I've read of a bug/feature you can take advantage of by defining the spokes as subnets of the hub. For example:
hub network defined in ipsec.conf as 192.168.0.0/16 and the spokes as 192.168.1.0/24, 192.168.2.0/24, 192.168.3.0/24, etc. This is supposed to fool it so the routing works, but that is not what it is intended to do.
The VPN links are not like hardwire connections that you just need to setup the proper routing. As I understand it, you shouldn't be able to route from one spoke thru the hub to another over the VPN tunnels.
All that said, I have never tried it, but there have been discussions of doing the hub/spoke on the FreeS/WAN list. I personally manage all the ipsec.conf files centrally and distribute them via scp when updates are needed.
- Todd
-
You could always purchase Service Link and have the Mitel NOC handle all the keys and setup for you. :)
Talk about hastle free!!!!
just my 2 cents as well.....
-
I have 4 locations all running SME server 5.0/5.1.2
with freeswan-1.91-05 and dmc-mitel-freeswan-0.4-10.
Each site has a dedicated IP into the Internet via SWBell DSL
or Sprint T1.
I have had next to no problems for the last 6 months.
-
Perhaps you could post a link to your config files, maybe some screenshots of your IPSEC VPN entries in the server manager(s)? I'm wrestling with a recalcitrant VPN with only two participating networks, and while I'm not yet ready to cry "uncle!" and ask for help I'd sure welcome a look at a successful configuration!!!
-
Hi Steve,
Would you be able to post a howto with your sample configuration files for a 4 location setup?
-
I simply followed the how to on:
http://myezserver.com
Navigate to downloads > Mitel > contrib > freeswan-0.4
Each internal network must have a different internal subnet.
After you add a static route, you need to either reboot, or modify one of the VPN configs.
-
Well, I thought I *had* followed the howto, but I think I'm going to have to delete all my IPSEC config files & start from scratch. There's something gumming up the works somewhere, and I'm learning lots from poring over the "ipsec barf" output but I haven't found it yet.
-
http://216.191.234.125/bboard/read.php?v=t&f=3&i=16991&t=16991