From owner-freebsd-net@FreeBSD.ORG Fri Jul 4 01:55:50 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D90481065675 for ; Fri, 4 Jul 2008 01:55:50 +0000 (UTC) (envelope-from mike@sentex.net) Received: from smarthost1.sentex.ca (smarthost1.sentex.ca [64.7.153.18]) by mx1.freebsd.org (Postfix) with ESMTP id A353A8FC0A for ; Fri, 4 Jul 2008 01:55:50 +0000 (UTC) (envelope-from mike@sentex.net) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by smarthost1.sentex.ca (8.14.2/8.14.2) with ESMTP id m641tmAq090072; Thu, 3 Jul 2008 21:55:48 -0400 (EDT) (envelope-from mike@sentex.net) Received: from mdt-xp.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.13.8/8.13.3) with ESMTP id m641tl8s000607 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 3 Jul 2008 21:55:47 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <200807040155.m641tl8s000607@lava.sentex.ca> X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Thu, 03 Jul 2008 21:55:41 -0400 To: zaphod@fsklaw.com, freebsd-net@freebsd.org From: Mike Tancsa In-Reply-To: <8f7879db41dbaecc479a017110e8f32f.squirrel@cor> References: <8f7879db41dbaecc479a017110e8f32f.squirrel@cor> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Scanned-By: MIMEDefang 2.64 on 64.7.153.18 Cc: Subject: Re: Tunneling issues X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Jul 2008 01:55:50 -0000 At 03:15 PM 7/3/2008, zaphod@fsklaw.com wrote: >I have a real poser, and I ccan't solve it. > >Currently I have a ipsec vpn tunneling 14 servers through a central server. > >I would like to restructure this so that each server talks to each other >directly, rather than passing everything through a single server. > >However, on every other machine I cannot get a second tunnel to come up. >Not a gre or gif tunnel. And yet I have 14 on the central machine. You would need a lot of policies on each of the boxes (14) but there is no reason it should not work. Do each of the sites have a unique subnet ? Do they have static IP addresses ? An easier solution might be to use something like OpenVPN which allows all the boxes to auth and route through a single server, but they can also talk to each other with a single config option. ---Mike