Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 05 Oct 2001 08:15:07 -0500
From:      Eric Anderson <anderson@centtech.com>
To:        tariq_rashid@lineone.net
Cc:        freebsd-security@freebsd.org
Subject:   Re: start topology "hub" ipsec vpn / routing?
Message-ID:  <3BBDB25B.FE44ADA3@centtech.com>
References:  <E15pT4s-0009hQ-00@mk-smarthost-1.mail.uk.worldonline.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
I have something almost identical running right now (using the NET4501's on www.soekris.com).  It works great, and I
have built my own "VPN distro" with FreeBSD, to automate almost anything, and make it simple to admin (I have about 12
running now, with 20-30 more creeping in as fast as I can build 'em).  

Eric


tariq_rashid@lineone.net wrote:
> 
> Good afternoon all!
> 
> Is the following theoretically possible?
> 
> Star topology VPN:
> 
>       subnet--GW-----   ------GW--subnet
>                     |   |
>                     |   |
>                     |   |
> 
>                      VPN
>  subnet--GW-----    "hub"  ------GW--subnet
> 
>                     |   |
>                     |   |
>                     |   |
>       subnet--GW-----   ------GW--subnet
> 
> that is, each remote site ipsec gateway (freebsd 4.4R running isakmpd, not racoon due to dynamic
> IP allocation) only has a tunnel to the central hub.
> 
> the esential point is that once the traffic from a protected subnet emerges at the VPN "hub" the routing
> tables of this hub then determine wthe next ipsec gateway hop and the packets are then re-encrypted and sent
> throug the next tunnel.
> 
> this way, only the central vpn hub needs to have its routing tables maintained. (i realise that if teh hub
> goes down the whol evpn goes down!)
> 
> the usual method requires each vpn gatway to be configured with knowledge of every other gateway and subnet.
> thus not very scaleable.
> 
> am i right or sorely mistaken?...
> 
> any ideas or experiences would be appreciated!
> 
> tariq
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message

-- 
-------------------------------------------------------------
Eric Anderson	 anderson@centtech.com    Centaur Technology
# rm -rf  /bin/laden
-------------------------------------------------------------

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3BBDB25B.FE44ADA3>