Date: Fri, 05 Oct 2001 10:52:21 -0500 From: Eric Anderson <anderson@centtech.com> To: tariq_rashid@lineone.net Cc: freebsd-security@freebsd.org Subject: Re: start topology "hub" ipsec vpn / routing? Message-ID: <3BBDD735.DD5B07F1@centtech.com> References: <E15pX81-000OQO-00@mk-smarthost-1.mail.uk.worldonline.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Well, I am using the net4501's for my "client" boxes, running at homes of employees for connectivity in to work. At work, I have a freebsd machine serving as my "hub" as you call it. All the "clients" connect to it. all routing takes place on the "hub". Basically, each ipsec host will have an interface (gif0 perhaps), and that interface will have a network number, and subnet mask, etc. The clients just set a default gateway, and I set things up to send all data bound for "internal" networks to the ipsec hub. I do not use isakmpd as of yet, so I'm still using racoon. The net4501 could be used as the hub also if you wanted. Does that help any? tariq_rashid@lineone.net wrote: > > thanks for your email - > > do you mean that the "hub" is a freebsd box? or is this the net4501? > > can you give me an indication of the isakmpd configuration on the "hub" or "client" - > > the problem i have is that it appears that routing is decided by the ipsec policy as defined in the isakmpd.conf (Local-ID, Remote-ID, network=, netmask=) and as such it appears that the configuration files MUST reflect the possible paths from end-to-end (and not just to the hub as required). > > am i wrong? > > tariq > > ---------- > >From: Eric Anderson <anderson@centtech.com> > >To: tariq_rashid@lineone.net > >Subject: Re: start topology "hub" ipsec vpn / routing? > >Date: Fri, 05 Oct 2001 08:15:07 -0500 > > > >I have something almost identical running right now (using the NET4501's on www.soekris.com). It works great, and I > >have built my own "VPN distro" with FreeBSD, to automate almost anything, and make it simple to admin (I have about 12 > >running now, with 20-30 more creeping in as fast as I can build 'em). > > > >Eric > > > > > >tariq_rashid@lineone.net wrote: > >> > >> Good afternoon all! > >> > >> Is the following theoretically possible? > >> > >> Star topology VPN: > >> > >> subnet--GW----- ------GW--subnet > >> | | > >> | | > >> | | > >> > >> VPN > >> subnet--GW----- "hub" ------GW--subnet > >> > >> | | > >> | | > >> | | > >> subnet--GW----- ------GW--subnet > >> > >> that is, each remote site ipsec gateway (freebsd 4.4R running isakmpd, not racoon due to dynamic > >> IP allocation) only has a tunnel to the central hub. > >> > >> the esential point is that once the traffic from a protected subnet emerges at the VPN "hub" the routing > >> tables of this hub then determine wthe next ipsec gateway hop and the packets are then re-encrypted and sent > >> throug the next tunnel. > >> > >> this way, only the central vpn hub needs to have its routing tables maintained. (i realise that if teh hub > >> goes down the whol evpn goes down!) > >> > >> the usual method requires each vpn gatway to be configured with knowledge of every other gateway and subnet. > >> thus not very scaleable. > >> > >> am i right or sorely mistaken?... > >> > >> any ideas or experiences would be appreciated! > >> > >> tariq > >> > >> To Unsubscribe: send mail to majordomo@FreeBSD.org > >> with "unsubscribe freebsd-security" in the body of the message > > > >-- > >------------------------------------------------------------- > >Eric Anderson anderson@centtech.com Centaur Technology > ># rm -rf /bin/laden > >------------------------------------------------------------- > > -- ------------------------------------------------------------- Eric Anderson anderson@centtech.com Centaur Technology # rm -rf /bin/laden ------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3BBDD735.DD5B07F1>