From owner-freebsd-security Fri Oct 5 8:43:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from mk-smarthost-1.mail.uk.worldonline.com (mk-smarthost-1.mail.uk.worldonline.com [212.74.112.71]) by hub.freebsd.org (Postfix) with ESMTP id 02FE137B405 for ; Fri, 5 Oct 2001 08:43:19 -0700 (PDT) Received: from scooby-s1.lineone.net ([194.75.152.224] helo=lineone.net) by mk-smarthost-1.mail.uk.worldonline.com with smtp (Exim 3.22 #3) id 15pX81-000OQO-00; Fri, 05 Oct 2001 16:43:09 +0100 To: Eric Anderson Cc: freebsd-security@freebsd.org From: tariq_rashid@lineone.net Subject: Re: start topology "hub" ipsec vpn / routing? Message-Id: Date: Fri, 05 Oct 2001 16:43:09 +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org thanks for your email - do you mean that the "hub" is a freebsd box? or is this the net4501? can you give me an indication of the isakmpd configuration on the "hub" or "client" - the problem i have is that it appears that routing is decided by the ipsec policy as defined in the isakmpd.conf (Local-ID, Remote-ID, network=, netmask=) and as such it appears that the configuration files MUST reflect the possible paths from end-to-end (and not just to the hub as required). am i wrong? tariq ---------- >From: Eric Anderson >To: tariq_rashid@lineone.net >Subject: Re: start topology "hub" ipsec vpn / routing? >Date: Fri, 05 Oct 2001 08:15:07 -0500 > >I have something almost identical running right now (using the NET4501's on www.soekris.com). It works great, and I >have built my own "VPN distro" with FreeBSD, to automate almost anything, and make it simple to admin (I have about 12 >running now, with 20-30 more creeping in as fast as I can build 'em). > >Eric > > >tariq_rashid@lineone.net wrote: >> >> Good afternoon all! >> >> Is the following theoretically possible? >> >> Star topology VPN: >> >> subnet--GW----- ------GW--subnet >> | | >> | | >> | | >> >> VPN >> subnet--GW----- "hub" ------GW--subnet >> >> | | >> | | >> | | >> subnet--GW----- ------GW--subnet >> >> that is, each remote site ipsec gateway (freebsd 4.4R running isakmpd, not racoon due to dynamic >> IP allocation) only has a tunnel to the central hub. >> >> the esential point is that once the traffic from a protected subnet emerges at the VPN "hub" the routing >> tables of this hub then determine wthe next ipsec gateway hop and the packets are then re-encrypted and sent >> throug the next tunnel. >> >> this way, only the central vpn hub needs to have its routing tables maintained. (i realise that if teh hub >> goes down the whol evpn goes down!) >> >> the usual method requires each vpn gatway to be configured with knowledge of every other gateway and subnet. >> thus not very scaleable. >> >> am i right or sorely mistaken?... >> >> any ideas or experiences would be appreciated! >> >> tariq >> >> To Unsubscribe: send mail to majordomo@FreeBSD.org >> with "unsubscribe freebsd-security" in the body of the message > >-- >------------------------------------------------------------- >Eric Anderson anderson@centtech.com Centaur Technology ># rm -rf /bin/laden >------------------------------------------------------------- > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message