Setting up a VPN Tunnel - NBM and Openswan Slaves
Novell Cool Solutions: Feature
By Gaurav Vaidya
Digg This -
Posted: 2 Dec 2004
Setting up a VPN Tunnel between an NBM3.8 VPN Slave and an Openswan VPN Slave
by Gaurav Vaidya, Senior Software Engineer
Note: Although this article describes tunnel setup with Openswan VPN, the same concept can be applied to any third-party VPN server.
Generally, Site-to-Site (S2S) VPN services have peer to peer architecture. Novell BorderManager 3.8 VPN service is different from other VPN services in this regard. NBM3.8 S2S VPN has a Master-to--Slave relationship among VPN servers/ The configuration for all VPN sites (called the VPN Slave) is done at the Master VPN server, and this information is transferred securely to all other VPN slave servers. This results in a complete mesh of VPN Site-to-Site tunnels among all the VPN servers.
This requires that all VPN slave servers "understand" NBM3.8 VPN architecture. But a problem arises when the NBM3.8 VPN talks to a 3rd- party VPN server. For example, suppose two NBM3.8 VPN sites and an Openswan VPN site are all involved in S2S VPN configuration. The Openswan VPN server would be able to talk to the NBM3.8 Master VPN server, but not to the NBM3.8 Slave VPN server (see Figure 1 below).
How can a VPN Tunnel be set up between NBM3.8 VPN Slave and a 3rd-party Openswan) VPN Slave servers?
Here's how to set up the site-to-site VPN:
Figure 1: Site to Site VPN between NBM3.8 Slave and Openswan
- Configure VPN Site to Site Service between the two NBM3.8 servers.
- Add a 3rd-party slave to the VPN Master (using Pre-Shared Key).
- Add the corresponding traffic rule for the slave.
Once this basic setup is ready, the status of tunnels among VPN servers would be as follows:
|NBM3.8 VPN Master < -- > NBM3.8 VPN Slave||Established|
|NBM3.8 VPN Master < -- > Openswan Server||Established|
|NBM3.8 VPN Slave < -- > Openswan Server||Not Established|
Two minor changes are required to configure the VPN tunnel between the NBM3.8 slave and the Openswan server:
- Add another IPsec connection for the NBM3.8 Slave server in Openswan. Modify the /etc/ipsec.conf file and the /etc/ipsec.secrets file for this purpose.
- Add another 3rd-party traffic rule on the NBM3.8 Master server, with protected networks of the Openswan server and the NBM Slave server. Keep the default encryption for this traffic rule (3DES -- MD5).
To complete the configuration,
- Make an IPsec connection "--up" from Openswan servers for both Master and Slave.
- Make sure that in the Members List of the Master VPN server all the protected networks are added properly.
After this, you'll have a full-mesh VPN tunnel configuration among the NBM3.8 Master, the NBM3.8 Slave, and the Openswan server.
Note: For more information on VPN configuration for NBM 3.8 and Openswan, see http://www.novell.com/coolsolutions/bordermag/features/a_vpn_openswan_appnote.html
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com