From owner-freebsd-questions@FreeBSD.ORG  Fri Oct 26 15:45:01 2007
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 7157E16A421
	for <freebsd-questions@freebsd.org>;
	Fri, 26 Oct 2007 15:45:01 +0000 (UTC)
	(envelope-from bseklecki@collaborativefusion.com)
Received: from mx00.pub.collaborativefusion.com
	(mx00.pub.collaborativefusion.com [206.210.89.199])
	by mx1.freebsd.org (Postfix) with ESMTP id 0AF5A13C48E
	for <freebsd-questions@freebsd.org>;
	Fri, 26 Oct 2007 15:45:00 +0000 (UTC)
	(envelope-from bseklecki@collaborativefusion.com)
Received: from [192.168.2.62] (pr40.pitbpa0.pub.collaborativefusion.com
	[206.210.89.202])
	(AUTH: LOGIN seklecki, TLS: TLSv1/SSLv3,128bits,RC4-MD5)
	by wingspan with esmtp; Fri, 26 Oct 2007 11:45:00 -0400
	id 00056405.47220B7C.00008022
From: "Brian A Seklecki (Mobile)" <bseklecki@collaborativefusion.com>
To: Victor Sudakov <sudakov@sibptus.tomsk.ru>
In-Reply-To: <20071026095508.GA60816@admin.sibptus.tomsk.ru>
References: <20071026095508.GA60816@admin.sibptus.tomsk.ru>
Organization: Collaborative Fusion, Inc.
Date: Fri, 26 Oct 2007 11:45:00 -0400
Message-Id: <1193413500.2919.30.camel@ingress.pitbpa0.priv.collaborativefusion.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 7bit
X-Mailer: Evolution 2.10.3 (2.10.3-4.fc7) 
Cc: User Questions <freebsd-questions@freebsd.org>
Subject: Re: IPSec SPD
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Oct 2007 15:45:01 -0000

On Fri, 2007-10-26 at 16:55 +0700, Victor Sudakov wrote:
> Colleagues, 
> 
> Suppose our remote office uses the 10.1.1.0/24 network, and the whole
> company uses the 10.0.0.0/8 network.
> 
> How do we set up the SPD entries to encrypt traffic to the
> headquarters and back?
> 

I do hub a spoke config just like this using OpenBSD and Cisco VPN3k
using /24s at the edge and /16s at the core.  All works well.  Better
than full mesh.

I just ran into a small bug with the new Ipsec stack in OpenBSD where I
had to have a "null" policy -- otherwise traffic with destination routes
for the locally connected /24 would accidentally be fwd'd across the
tunnel (because ipsec tunnel evaluation happens earlier in ip_output(),
which is non-standard)

~BAS

> spdadd 10.0.0.0/8 10.1.1.0/24
> ...
> spdadd 10.1.1.0/24 10.0.0.0/8
> ...
> 
> is not a good idea, is it? 
> 
> Thanks in advance for any input.
>