From owner-freebsd-net@FreeBSD.ORG Fri Aug 18 18:02:02 2006 Return-Path: X-Original-To: net@FreeBSD.org Delivered-To: freebsd-net@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 993AA16A4DE; Fri, 18 Aug 2006 18:02:02 +0000 (UTC) (envelope-from b.candler@pobox.com) Received: from proof.pobox.com (proof.pobox.com [207.106.133.28]) by mx1.FreeBSD.org (Postfix) with ESMTP id 38A6443D5D; Fri, 18 Aug 2006 18:02:02 +0000 (GMT) (envelope-from b.candler@pobox.com) Received: from proof (localhost [127.0.0.1]) by proof.pobox.com (Postfix) with ESMTP id 6D47A29A8B; Fri, 18 Aug 2006 14:02:23 -0400 (EDT) Received: from mappit.local.linnet.org (212-74-113-67.static.dsl.as9105.com [212.74.113.67]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by proof.sasl.smtp.pobox.com (Postfix) with ESMTP id 349CE6D7C7; Fri, 18 Aug 2006 14:02:22 -0400 (EDT) Received: from lists by mappit.local.linnet.org with local (Exim 4.61 (FreeBSD)) (envelope-from ) id 1GE8fO-0000Ft-KC; Fri, 18 Aug 2006 19:01:58 +0100 Date: Fri, 18 Aug 2006 19:01:58 +0100 From: Brian Candler To: Remko Lodder Message-ID: <20060818180158.GB931@uk.tiscali.com> References: <44E58E9E.1030401@FreeBSD.org> <44E58F8B.5@FreeBSD.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <44E58F8B.5@FreeBSD.org> User-Agent: Mutt/1.4.2.1i Cc: net@FreeBSD.org Subject: Re: Routing IPSEC packets? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Aug 2006 18:02:02 -0000 On Fri, Aug 18, 2006 at 11:59:39AM +0200, Remko Lodder wrote: > Ofcourse I should do the [1] trick: > > I want to do the following; I have three IPsec endpoints > at this moment, one at home, one in my personal colo environment > and one in another colo environment. > > The machine(s) in the personal colo environment are the point > to where all the others connect to. So the other colo env > connects to the personal colo environment, and my home also > connects to the personal colo environment. > > I would like to be able to: > > Other colo -- ipsec tunnel -- personal colo -- ipsec -- home > > Have these communications possible, and ofcourse the other way > around. In the event that another tunnel will be attaching, > I would like to be able to route these packets to the other > host as well (so that I can reach all the IPsec tunneled hosts > from the IPsec network, from where-ever I will be, either road > -warrior, or just at home, or at one of the colo machine's). That's fine, you just have to set up your SA's properly. For example, if you are using 10.* private addresses everywhere, then on the 'spoke' machines you set up an SA that looks like 10.0.1.0/24 -> 10.0.0.0/8 (if 10.0.1.0/24 is the address range assigned to this particular client). All other 10.* addresses will be routed down the tunnel. Or, you can always set up multiple SAs. e.g. at the 'other colo' side you could set up SAs for 10.0.1.0/24 -> 10.0.2.0/24 10.0.1.0/24 -> 10.0.3.0/24 both with a tunnel IP of the 'personal colo' server. Here, I'm assuming that 10.0.2.0/24 is the 'personal colo' space, and 10.0.3.0/24 is the 'home' space. Regards, Brian.