From owner-freebsd-security Fri Oct 5 6:16: 3 2001 Delivered-To: freebsd-security@freebsd.org Received: from proxy.centtech.com (moat.centtech.com [206.196.95.10]) by hub.freebsd.org (Postfix) with ESMTP id AB39937B406 for ; Fri, 5 Oct 2001 06:15:59 -0700 (PDT) Received: from sprint.centtech.com (sprint.centtech.com [10.177.173.31]) by proxy.centtech.com (8.11.6/8.11.6) with ESMTP id f95DFw418342; Fri, 5 Oct 2001 08:15:58 -0500 (CDT) Received: from centtech.com (proton [10.177.173.77]) by sprint.centtech.com (8.9.3+Sun/8.9.3) with ESMTP id IAA16869; Fri, 5 Oct 2001 08:15:58 -0500 (CDT) Message-ID: <3BBDB25B.FE44ADA3@centtech.com> Date: Fri, 05 Oct 2001 08:15:07 -0500 From: Eric Anderson Reply-To: anderson@centtech.com Organization: Centaur Technology X-Mailer: Mozilla 4.78 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: tariq_rashid@lineone.net Cc: freebsd-security@freebsd.org Subject: Re: start topology "hub" ipsec vpn / routing? References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I have something almost identical running right now (using the NET4501's on www.soekris.com). It works great, and I have built my own "VPN distro" with FreeBSD, to automate almost anything, and make it simple to admin (I have about 12 running now, with 20-30 more creeping in as fast as I can build 'em). Eric tariq_rashid@lineone.net wrote: > > Good afternoon all! > > Is the following theoretically possible? > > Star topology VPN: > > subnet--GW----- ------GW--subnet > | | > | | > | | > > VPN > subnet--GW----- "hub" ------GW--subnet > > | | > | | > | | > subnet--GW----- ------GW--subnet > > that is, each remote site ipsec gateway (freebsd 4.4R running isakmpd, not racoon due to dynamic > IP allocation) only has a tunnel to the central hub. > > the esential point is that once the traffic from a protected subnet emerges at the VPN "hub" the routing > tables of this hub then determine wthe next ipsec gateway hop and the packets are then re-encrypted and sent > throug the next tunnel. > > this way, only the central vpn hub needs to have its routing tables maintained. (i realise that if teh hub > goes down the whol evpn goes down!) > > the usual method requires each vpn gatway to be configured with knowledge of every other gateway and subnet. > thus not very scaleable. > > am i right or sorely mistaken?... > > any ideas or experiences would be appreciated! > > tariq > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- ------------------------------------------------------------- Eric Anderson anderson@centtech.com Centaur Technology # rm -rf /bin/laden ------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message