Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 25 May 2011 20:57:32 -0500
From:      jhall@socket.net
To:        remko@elvandar.org
Cc:        freebsd-net@freebsd.org
Subject:   Re: Re: IPSec Routing 
Message-ID:  <20110526015733.82B711065677@hub.freebsd.org>
References:  <20110522120030.4B70510656D2@hub.freebsd.org> <20110522143107.7520F106566C@hub.freebsd.org> <F210C073-09D4-453E-A649-5AE2AA18A9A1@elvandar.org>
index | next in thread | previous in thread | raw e-mail 

----------------------------------------------------
>From : Remko Lodder <remko@elvandar.org>
To : jhall@socket.net
Subject : Re: IPSec Routing 
Date : Sun, 22 May 2011 21:12:24 +0200

> 
> Basically what happends is that an IPSEC tunnel looks like this
> 
> 
> Internal_A -->> Internal FW A [ FW A] External FWA ---->>> [Internet] 
<<<---- External FWB [FW B] Internal FW B <<-- Internal_B 
>                                                                    
External FWA [ ------------ TUNNEL ---------] External FWB [also called 
Phase1] 
> Internal_A 
[-------------------------------------------------------------------  
TUNNEL ----------------------------------------------------------] 
Internal_B [Also called phase2] 
> 
> The external FW's talk to eachother and make a secure pipe. The internal 
networks / hosts, use the secure pipe to route traffic 
> between them. So basically the first TUNNEL line is a big pipe, and the 
second TUNNEL line is packets WITHIN that first tunnel line.. (complex?) 
> 
> Comment:
> 
> A connection is setup between the external FWA and External FWB, so that 
you have a secure pipe between the firewalls 
> to exchange data.
> 
> In some cases you talk to the external IP and it gets processed there 
and onwards. 
> 
> In other cases [more likely], you setup a secondary tunnel (phase2) 
which enables you to talk to internal hosts on the other end. 
> An IPSEC session is never established between internal IP ranges (if 
flowing over the internet, ofcourse within the network itself 
> it is entirely possible).
> 
> The IPSEC session _does_ allow you to route and send traffic to an 
internal IP adres over the tunnel though. 
> 
> If you can shed some more light in what you mean I might be able to 
help. I have setup 1000's of tunnels between mostly commercial 
> grade firewalls but I might assist in getting a bit further.

Thank you to everyone for their help.  The connection is now up and 
running.  Our vendor had an incorrect entry in their route table. 



Jay
home | help

Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20110526015733.82B711065677>