Date: Fri, 05 Oct 2001 17:04:02 +0100 From: tariq_rashid@lineone.net To: Eric Anderson <anderson@centtech.com> Cc: freebsd-security@freebsd.org Subject: Re: start topology "hub" ipsec vpn / routing? Message-ID: <E15pXSE-000AfH-00@mk-smarthost-1.mail.uk.worldonline.com>
next in thread | raw e-mail | index | archive | help
ahh -> racoon. i think this problem is specific to isakmpd (the scope of the config files)... and i'm not using racoon as it definitely won't handle clients with dynamically allocated IP addresses - unless you know how! thanks for your help anyway! tariq ---------- >From: Eric Anderson <anderson@centtech.com> >To: tariq_rashid@lineone.net >Subject: Re: start topology "hub" ipsec vpn / routing? >Date: Fri, 05 Oct 2001 10:52:21 -0500 > >Well, I am using the net4501's for my "client" boxes, running at homes of employees for connectivity in to work. At >work, I have a freebsd machine serving as my "hub" as you call it. All the "clients" connect to it. all routing takes >place on the "hub". Basically, each ipsec host will have an interface (gif0 perhaps), and that interface will have a >network number, and subnet mask, etc. The clients just set a default gateway, and I set things up to send all data >bound for "internal" networks to the ipsec hub. I do not use isakmpd as of yet, so I'm still using racoon. The net4501 >could be used as the hub also if you wanted. > >Does that help any? > > > >tariq_rashid@lineone.net wrote: >> >> thanks for your email - >> >> do you mean that the "hub" is a freebsd box? or is this the net4501? >> >> can you give me an indication of the isakmpd configuration on the "hub" or "client" - >> >> the problem i have is that it appears that routing is decided by the ipsec policy as defined in the isakmpd.conf (Local-ID, Remote-ID, network=, netmask=) and as such it appears that the configuration files MUST reflect the possible paths from end-to-end (and not just to the hub as required). >> >> am i wrong? >> >> tariq >> >> ---------- >> >From: Eric Anderson <anderson@centtech.com> >> >To: tariq_rashid@lineone.net >> >Subject: Re: start topology "hub" ipsec vpn / routing? >> >Date: Fri, 05 Oct 2001 08:15:07 -0500 >> > >> >I have something almost identical running right now (using the NET4501's on www.soekris.com). It works great, and I >> >have built my own "VPN distro" with FreeBSD, to automate almost anything, and make it simple to admin (I have about 12 >> >running now, with 20-30 more creeping in as fast as I can build 'em). >> > >> >Eric >> > >> > >> >tariq_rashid@lineone.net wrote: >> >> >> >> Good afternoon all! >> >> >> >> Is the following theoretically possible? >> >> >> >> Star topology VPN: >> >> >> >> subnet--GW----- ------GW--subnet >> >> | | >> >> | | >> >> | | >> >> >> >> VPN >> >> subnet--GW----- "hub" ------GW--subnet >> >> >> >> | | >> >> | | >> >> | | >> >> subnet--GW----- ------GW--subnet >> >> >> >> that is, each remote site ipsec gateway (freebsd 4.4R running isakmpd, not racoon due to dynamic >> >> IP allocation) only has a tunnel to the central hub. >> >> >> >> the esential point is that once the traffic from a protected subnet emerges at the VPN "hub" the routing >> >> tables of this hub then determine wthe next ipsec gateway hop and the packets are then re-encrypted and sent >> >> throug the next tunnel. >> >> >> >> this way, only the central vpn hub needs to have its routing tables maintained. (i realise that if teh hub >> >> goes down the whol evpn goes down!) >> >> >> >> the usual method requires each vpn gatway to be configured with knowledge of every other gateway and subnet. >> >> thus not very scaleable. >> >> >> >> am i right or sorely mistaken?... >> >> >> >> any ideas or experiences would be appreciated! >> >> >> >> tariq >> >> >> >> To Unsubscribe: send mail to majordomo@FreeBSD.org >> >> with "unsubscribe freebsd-security" in the body of the message >> > >> >-- >> >------------------------------------------------------------- >> >Eric Anderson anderson@centtech.com Centaur Technology >> ># rm -rf /bin/laden >> >------------------------------------------------------------- >> > > >-- >------------------------------------------------------------- >Eric Anderson anderson@centtech.com Centaur Technology ># rm -rf /bin/laden >------------------------------------------------------------- > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E15pXSE-000AfH-00>