Routing IPSEC packets?

[Bjoern A. Zeeb]

On Fri, 18 Aug 2006, Remko Lodder wrote:

> I want to do the following; I have three IPsec endpoints
> at this moment, one at home, one in my personal colo environment
> and one in another colo environment.
>
> The machine(s) in the personal colo environment are the point
> to where all the others connect to.  So the other colo env
> connects to the personal colo environment, and my home also
> connects to the personal colo environment.
>
> I would like to be able to:
>
> Other colo -- ipsec tunnel -- personal colo -- ipsec -- home

No, you really want to do:

                 home
               /      \
          pcolo ------ ocolo


> Have these communications possible, and ofcourse the other way
> around.  In the event that another tunnel will be attaching,
> I would like to be able to route these packets to the other
> host as well (so that I can reach all the IPsec tunneled hosts
> from the IPsec network, from where-ever I will be, either road
> -warrior, or just at home, or at one of the colo machine's).

You do not "route" IPsec traffic. You define apropriate policies and
be done. You only need gif(4) if you really want to route and use a
link-state protocol.


You of course can do:

   home ---- pcolo ---- ocolo

theat means policies (I'll leave the reverse
direction to you):

home policies:
from home to pcolo, tunnel endpoints home/pcolo
from home to ocolo, tunnel endpoints home/pcolo

pcolo:
from pcolo to home, tunnel endpoints pcolo/home
from pcolo to ocolo, tunnel endpoints pcolo/ocolo
from home to ocolo, tunnel endpoints pcolo/ocolo
from ocolo to home, tunnel endpoints pcolo/home

ocolo:
from ocolo to pcolo, tunnel endpoints ocolo/pcolo
from ocolo to home, tunnel endpoints ocolo/pcolo


The only thing that needs to be routed somehow are
the tunnel endpoints but you usally have a default route on
all of the boxes which would be enough.


-- 
Bjoern A. Zeeb				bzeeb at Zabbadoz dot NeT