Date: Wed, 25 May 2011 20:57:32 -0500 From: jhall@socket.net To: remko@elvandar.org Cc: freebsd-net@freebsd.org Subject: Re: Re: IPSec Routing Message-ID: <20110526015733.82B711065677@hub.freebsd.org> References: <20110522120030.4B70510656D2@hub.freebsd.org> <20110522143107.7520F106566C@hub.freebsd.org> <F210C073-09D4-453E-A649-5AE2AA18A9A1@elvandar.org>
next in thread | previous in thread | raw e-mail | index | archive | help
---------------------------------------------------- >From : Remko Lodder <remko@elvandar.org> To : jhall@socket.net Subject : Re: IPSec Routing Date : Sun, 22 May 2011 21:12:24 +0200 > > Basically what happends is that an IPSEC tunnel looks like this > > > Internal_A -->> Internal FW A [ FW A] External FWA ---->>> [Internet] <<<---- External FWB [FW B] Internal FW B <<-- Internal_B > External FWA [ ------------ TUNNEL ---------] External FWB [also called Phase1] > Internal_A [------------------------------------------------------------------- TUNNEL ----------------------------------------------------------] Internal_B [Also called phase2] > > The external FW's talk to eachother and make a secure pipe. The internal networks / hosts, use the secure pipe to route traffic > between them. So basically the first TUNNEL line is a big pipe, and the second TUNNEL line is packets WITHIN that first tunnel line.. (complex?) > > Comment: > > A connection is setup between the external FWA and External FWB, so that you have a secure pipe between the firewalls > to exchange data. > > In some cases you talk to the external IP and it gets processed there and onwards. > > In other cases [more likely], you setup a secondary tunnel (phase2) which enables you to talk to internal hosts on the other end. > An IPSEC session is never established between internal IP ranges (if flowing over the internet, ofcourse within the network itself > it is entirely possible). > > The IPSEC session _does_ allow you to route and send traffic to an internal IP adres over the tunnel though. > > If you can shed some more light in what you mean I might be able to help. I have setup 1000's of tunnels between mostly commercial > grade firewalls but I might assist in getting a bit further. Thank you to everyone for their help. The connection is now up and running. Our vendor had an incorrect entry in their route table. Jay
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20110526015733.82B711065677>