Date: Fri, 05 Oct 2001 16:43:09 +0100 From: tariq_rashid@lineone.net To: Eric Anderson <anderson@centtech.com> Cc: freebsd-security@freebsd.org Subject: Re: start topology "hub" ipsec vpn / routing? Message-ID: <E15pX81-000OQO-00@mk-smarthost-1.mail.uk.worldonline.com>
next in thread | raw e-mail | index | archive | help
thanks for your email - do you mean that the "hub" is a freebsd box? or is this the net4501? can you give me an indication of the isakmpd configuration on the "hub" or "client" - the problem i have is that it appears that routing is decided by the ipsec policy as defined in the isakmpd.conf (Local-ID, Remote-ID, network=, netmask=) and as such it appears that the configuration files MUST reflect the possible paths from end-to-end (and not just to the hub as required). am i wrong? tariq ---------- >From: Eric Anderson <anderson@centtech.com> >To: tariq_rashid@lineone.net >Subject: Re: start topology "hub" ipsec vpn / routing? >Date: Fri, 05 Oct 2001 08:15:07 -0500 > >I have something almost identical running right now (using the NET4501's on www.soekris.com). It works great, and I >have built my own "VPN distro" with FreeBSD, to automate almost anything, and make it simple to admin (I have about 12 >running now, with 20-30 more creeping in as fast as I can build 'em). > >Eric > > >tariq_rashid@lineone.net wrote: >> >> Good afternoon all! >> >> Is the following theoretically possible? >> >> Star topology VPN: >> >> subnet--GW----- ------GW--subnet >> | | >> | | >> | | >> >> VPN >> subnet--GW----- "hub" ------GW--subnet >> >> | | >> | | >> | | >> subnet--GW----- ------GW--subnet >> >> that is, each remote site ipsec gateway (freebsd 4.4R running isakmpd, not racoon due to dynamic >> IP allocation) only has a tunnel to the central hub. >> >> the esential point is that once the traffic from a protected subnet emerges at the VPN "hub" the routing >> tables of this hub then determine wthe next ipsec gateway hop and the packets are then re-encrypted and sent >> throug the next tunnel. >> >> this way, only the central vpn hub needs to have its routing tables maintained. (i realise that if teh hub >> goes down the whol evpn goes down!) >> >> the usual method requires each vpn gatway to be configured with knowledge of every other gateway and subnet. >> thus not very scaleable. >> >> am i right or sorely mistaken?... >> >> any ideas or experiences would be appreciated! >> >> tariq >> >> To Unsubscribe: send mail to majordomo@FreeBSD.org >> with "unsubscribe freebsd-security" in the body of the message > >-- >------------------------------------------------------------- >Eric Anderson anderson@centtech.com Centaur Technology ># rm -rf /bin/laden >------------------------------------------------------------- > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E15pX81-000OQO-00>