Date: Thu, 1 Nov 2007 15:45:11 +0600 From: Victor Sudakov <sudakov@sibptus.tomsk.ru> To: User Questions <freebsd-questions@freebsd.org> Subject: Re: IPSec SPD Message-ID: <20071101094511.GA70701@admin.sibptus.tomsk.ru> In-Reply-To: <1193413500.2919.30.camel@ingress.pitbpa0.priv.collaborativefusion.com> References: <20071026095508.GA60816@admin.sibptus.tomsk.ru> <1193413500.2919.30.camel@ingress.pitbpa0.priv.collaborativefusion.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Brian A Seklecki (Mobile) wrote: > > > > Suppose our remote office uses the 10.1.1.0/24 network, and the whole > > company uses the 10.0.0.0/8 network. > > > > How do we set up the SPD entries to encrypt traffic to the > > headquarters and back? > > > > I do hub a spoke config just like this using OpenBSD and Cisco VPN3k > using /24s at the edge and /16s at the core. All works well. Better > than full mesh. > > I just ran into a small bug with the new Ipsec stack in OpenBSD where I > had to have a "null" policy -- otherwise traffic with destination routes > for the locally connected /24 would accidentally be fwd'd across the > tunnel (because ipsec tunnel evaluation happens earlier in ip_output(), > which is non-standard) > > > > spdadd 10.0.0.0/8 10.1.1.0/24 > > ... > > spdadd 10.1.1.0/24 10.0.0.0/8 > > ... Thank you Brian, this works. I should not have worried. On FreeBSD 6.2 it works even without any "null" policy (I think you meant the "none" policy). -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:sudakov@sibptus.tomsk.ru
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20071101094511.GA70701>