Date: Fri, 18 Aug 2006 19:01:58 +0100 From: Brian Candler <B.Candler@pobox.com> To: Remko Lodder <remko@FreeBSD.org> Cc: net@FreeBSD.org Subject: Re: Routing IPSEC packets? Message-ID: <20060818180158.GB931@uk.tiscali.com> In-Reply-To: <44E58F8B.5@FreeBSD.org> References: <44E58E9E.1030401@FreeBSD.org> <44E58F8B.5@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Aug 18, 2006 at 11:59:39AM +0200, Remko Lodder wrote:
> Ofcourse I should do the [1] trick:
>
> I want to do the following; I have three IPsec endpoints
> at this moment, one at home, one in my personal colo environment
> and one in another colo environment.
>
> The machine(s) in the personal colo environment are the point
> to where all the others connect to. So the other colo env
> connects to the personal colo environment, and my home also
> connects to the personal colo environment.
>
> I would like to be able to:
>
> Other colo -- ipsec tunnel -- personal colo -- ipsec -- home
>
> Have these communications possible, and ofcourse the other way
> around. In the event that another tunnel will be attaching,
> I would like to be able to route these packets to the other
> host as well (so that I can reach all the IPsec tunneled hosts
> from the IPsec network, from where-ever I will be, either road
> -warrior, or just at home, or at one of the colo machine's).
That's fine, you just have to set up your SA's properly. For example, if you
are using 10.* private addresses everywhere, then on the 'spoke' machines
you set up an SA that looks like
10.0.1.0/24 -> 10.0.0.0/8
(if 10.0.1.0/24 is the address range assigned to this particular client).
All other 10.* addresses will be routed down the tunnel.
Or, you can always set up multiple SAs. e.g. at the 'other colo' side you
could set up SAs for
10.0.1.0/24 -> 10.0.2.0/24
10.0.1.0/24 -> 10.0.3.0/24
both with a tunnel IP of the 'personal colo' server. Here, I'm assuming that
10.0.2.0/24 is the 'personal colo' space, and 10.0.3.0/24 is the 'home'
space.
Regards,
Brian.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060818180158.GB931>