Routing IPSEC packets?
Brian Candler
B.Candler at pobox.com
Fri Aug 18 18:02:02 UTC 2006
On Fri, Aug 18, 2006 at 11:59:39AM +0200, Remko Lodder wrote:
> Ofcourse I should do the [1] trick:
>
> I want to do the following; I have three IPsec endpoints
> at this moment, one at home, one in my personal colo environment
> and one in another colo environment.
>
> The machine(s) in the personal colo environment are the point
> to where all the others connect to. So the other colo env
> connects to the personal colo environment, and my home also
> connects to the personal colo environment.
>
> I would like to be able to:
>
> Other colo -- ipsec tunnel -- personal colo -- ipsec -- home
>
> Have these communications possible, and ofcourse the other way
> around. In the event that another tunnel will be attaching,
> I would like to be able to route these packets to the other
> host as well (so that I can reach all the IPsec tunneled hosts
> from the IPsec network, from where-ever I will be, either road
> -warrior, or just at home, or at one of the colo machine's).
That's fine, you just have to set up your SA's properly. For example, if you
are using 10.* private addresses everywhere, then on the 'spoke' machines
you set up an SA that looks like
10.0.1.0/24 -> 10.0.0.0/8
(if 10.0.1.0/24 is the address range assigned to this particular client).
All other 10.* addresses will be routed down the tunnel.
Or, you can always set up multiple SAs. e.g. at the 'other colo' side you
could set up SAs for
10.0.1.0/24 -> 10.0.2.0/24
10.0.1.0/24 -> 10.0.3.0/24
both with a tunnel IP of the 'personal colo' server. Here, I'm assuming that
10.0.2.0/24 is the 'personal colo' space, and 10.0.3.0/24 is the 'home'
space.
Regards,
Brian.
More information about the freebsd-net
mailing list