From owner-freebsd-net@FreeBSD.ORG Fri Aug 18 11:30:13 2006 Return-Path: X-Original-To: net@freebsd.org Delivered-To: freebsd-net@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4A0A016A4DF; Fri, 18 Aug 2006 11:30:13 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from transport.cksoft.de (transport.cksoft.de [62.111.66.27]) by mx1.FreeBSD.org (Postfix) with ESMTP id A994A43D60; Fri, 18 Aug 2006 11:30:12 +0000 (GMT) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from transport.cksoft.de (localhost [127.0.0.1]) by transport.cksoft.de (Postfix) with ESMTP id 6DABA1FFDFD; Fri, 18 Aug 2006 13:30:10 +0200 (CEST) Received: by transport.cksoft.de (Postfix, from userid 66) id B47BC1FFDFC; Fri, 18 Aug 2006 13:30:05 +0200 (CEST) Received: from maildrop.int.zabbadoz.net (maildrop.int.zabbadoz.net [10.111.66.10]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.int.zabbadoz.net (Postfix) with ESMTP id D65194448D6; Fri, 18 Aug 2006 11:27:04 +0000 (UTC) Date: Fri, 18 Aug 2006 11:27:04 +0000 (UTC) From: "Bjoern A. Zeeb" X-X-Sender: bz@maildrop.int.zabbadoz.net To: Remko Lodder In-Reply-To: <44E58F8B.5@FreeBSD.org> Message-ID: <20060818111809.H46402@maildrop.int.zabbadoz.net> References: <44E58E9E.1030401@FreeBSD.org> <44E58F8B.5@FreeBSD.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Virus-Scanned: by AMaViS cksoft-s20020300-20031204bz on transport.cksoft.de Cc: net@FreeBSD.org Subject: Re: Routing IPSEC packets? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Aug 2006 11:30:13 -0000 On Fri, 18 Aug 2006, Remko Lodder wrote: > I want to do the following; I have three IPsec endpoints > at this moment, one at home, one in my personal colo environment > and one in another colo environment. > > The machine(s) in the personal colo environment are the point > to where all the others connect to. So the other colo env > connects to the personal colo environment, and my home also > connects to the personal colo environment. > > I would like to be able to: > > Other colo -- ipsec tunnel -- personal colo -- ipsec -- home No, you really want to do: home / \ pcolo ------ ocolo > Have these communications possible, and ofcourse the other way > around. In the event that another tunnel will be attaching, > I would like to be able to route these packets to the other > host as well (so that I can reach all the IPsec tunneled hosts > from the IPsec network, from where-ever I will be, either road > -warrior, or just at home, or at one of the colo machine's). You do not "route" IPsec traffic. You define apropriate policies and be done. You only need gif(4) if you really want to route and use a link-state protocol. You of course can do: home ---- pcolo ---- ocolo theat means policies (I'll leave the reverse direction to you): home policies: from home to pcolo, tunnel endpoints home/pcolo from home to ocolo, tunnel endpoints home/pcolo pcolo: from pcolo to home, tunnel endpoints pcolo/home from pcolo to ocolo, tunnel endpoints pcolo/ocolo from home to ocolo, tunnel endpoints pcolo/ocolo from ocolo to home, tunnel endpoints pcolo/home ocolo: from ocolo to pcolo, tunnel endpoints ocolo/pcolo from ocolo to home, tunnel endpoints ocolo/pcolo The only thing that needs to be routed somehow are the tunnel endpoints but you usally have a default route on all of the boxes which would be enough. -- Bjoern A. Zeeb bzeeb at Zabbadoz dot NeT