From owner-freebsd-security Fri Oct 5 4:23:46 2001 Delivered-To: freebsd-security@freebsd.org Received: from mk-smarthost-1.mail.uk.worldonline.com (mk-smarthost-1.mail.uk.worldonline.com [212.74.112.71]) by hub.freebsd.org (Postfix) with ESMTP id E94ED37B401 for ; Fri, 5 Oct 2001 04:23:43 -0700 (PDT) Received: from scooby-s1.lineone.net ([194.75.152.224] helo=lineone.net) by mk-smarthost-1.mail.uk.worldonline.com with smtp (Exim 3.22 #3) id 15pT4s-0009hQ-00 for freebsd-security@freebsd.org; Fri, 05 Oct 2001 12:23:38 +0100 To: freebsd-security@freebsd.org From: tariq_rashid@lineone.net Subject: start topology "hub" ipsec vpn / routing? Message-Id: Date: Fri, 05 Oct 2001 12:23:38 +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Good afternoon all! Is the following theoretically possible? Star topology VPN: subnet--GW----- ------GW--subnet | | | | | | VPN subnet--GW----- "hub" ------GW--subnet | | | | | | subnet--GW----- ------GW--subnet that is, each remote site ipsec gateway (freebsd 4.4R running isakmpd, not racoon due to dynamic IP allocation) only has a tunnel to the central hub. the esential point is that once the traffic from a protected subnet emerges at the VPN "hub" the routing tables of this hub then determine wthe next ipsec gateway hop and the packets are then re-encrypted and sent throug the next tunnel. this way, only the central vpn hub needs to have its routing tables maintained. (i realise that if teh hub goes down the whol evpn goes down!) the usual method requires each vpn gatway to be configured with knowledge of every other gateway and subnet. thus not very scaleable. am i right or sorely mistaken?... any ideas or experiences would be appreciated! tariq To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message