Date: Fri, 18 Aug 2006 19:01:58 +0100 From: Brian Candler <B.Candler@pobox.com> To: Remko Lodder <remko@FreeBSD.org> Cc: net@FreeBSD.org Subject: Re: Routing IPSEC packets? Message-ID: <20060818180158.GB931@uk.tiscali.com> In-Reply-To: <44E58F8B.5@FreeBSD.org> References: <44E58E9E.1030401@FreeBSD.org> <44E58F8B.5@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Aug 18, 2006 at 11:59:39AM +0200, Remko Lodder wrote: > Ofcourse I should do the [1] trick: > > I want to do the following; I have three IPsec endpoints > at this moment, one at home, one in my personal colo environment > and one in another colo environment. > > The machine(s) in the personal colo environment are the point > to where all the others connect to. So the other colo env > connects to the personal colo environment, and my home also > connects to the personal colo environment. > > I would like to be able to: > > Other colo -- ipsec tunnel -- personal colo -- ipsec -- home > > Have these communications possible, and ofcourse the other way > around. In the event that another tunnel will be attaching, > I would like to be able to route these packets to the other > host as well (so that I can reach all the IPsec tunneled hosts > from the IPsec network, from where-ever I will be, either road > -warrior, or just at home, or at one of the colo machine's). That's fine, you just have to set up your SA's properly. For example, if you are using 10.* private addresses everywhere, then on the 'spoke' machines you set up an SA that looks like 10.0.1.0/24 -> 10.0.0.0/8 (if 10.0.1.0/24 is the address range assigned to this particular client). All other 10.* addresses will be routed down the tunnel. Or, you can always set up multiple SAs. e.g. at the 'other colo' side you could set up SAs for 10.0.1.0/24 -> 10.0.2.0/24 10.0.1.0/24 -> 10.0.3.0/24 both with a tunnel IP of the 'personal colo' server. Here, I'm assuming that 10.0.2.0/24 is the 'personal colo' space, and 10.0.3.0/24 is the 'home' space. Regards, Brian.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060818180158.GB931>