Date: Fri, 26 Oct 2007 11:45:00 -0400 From: "Brian A Seklecki (Mobile)" <bseklecki@collaborativefusion.com> To: Victor Sudakov <sudakov@sibptus.tomsk.ru> Cc: User Questions <freebsd-questions@freebsd.org> Subject: Re: IPSec SPD Message-ID: <1193413500.2919.30.camel@ingress.pitbpa0.priv.collaborativefusion.com> In-Reply-To: <20071026095508.GA60816@admin.sibptus.tomsk.ru> References: <20071026095508.GA60816@admin.sibptus.tomsk.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 2007-10-26 at 16:55 +0700, Victor Sudakov wrote: > Colleagues, > > Suppose our remote office uses the 10.1.1.0/24 network, and the whole > company uses the 10.0.0.0/8 network. > > How do we set up the SPD entries to encrypt traffic to the > headquarters and back? > I do hub a spoke config just like this using OpenBSD and Cisco VPN3k using /24s at the edge and /16s at the core. All works well. Better than full mesh. I just ran into a small bug with the new Ipsec stack in OpenBSD where I had to have a "null" policy -- otherwise traffic with destination routes for the locally connected /24 would accidentally be fwd'd across the tunnel (because ipsec tunnel evaluation happens earlier in ip_output(), which is non-standard) ~BAS > spdadd 10.0.0.0/8 10.1.1.0/24 > ... > spdadd 10.1.1.0/24 10.0.0.0/8 > ... > > is not a good idea, is it? > > Thanks in advance for any input. >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1193413500.2919.30.camel>