Note: This archive passes through spamassassin. Every mail marked with the subject "*****SPAM*****" has exceed a certain threshold of spam-like behaviour.

[Users] Star topology with n-1 tunnels

From: Poltorak Serguei (poltorak_at_df.ru)
Date: Tue Jul 23 2002 - 12:34:18 CEST

Next message: Kevin Gerbracht: "Re: [Users] Routing Problem (perhaps simple, but not for me)"
Previous message: Elmar Grote: "[Users] bintec x1200 -> freeswan"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hello

About so famous question: often people wants to connect their LAN via
ipsec with star topologoy. ex:

[ 192.168.1.32/27 ]=======[ 192.168.1.0/27 ]========[ 192.168.1.64/27 ]
192.168.0.33 192.168.0.199 192.168.0.50

===== is VPN over 192.168.0.0/24 network

we would like to do only to connections:
192.168.1.32/27-192.168.0.33=====192.168.0.199-192.168.1.0/27
192.168.1.64/27-192.168.0.50=====192.168.0.199-192.168.1.0/27

but as we know, we could not connect
192.168.1.32/27 and 192.168.1.64/27 with these tunnels...

one way is to set up third tunnel
192.168.1.32/27-192.168.0.33=====192.168.0.199-192.168.1.64/27

i propose instead to set up two tunnel:
192.168.1.32/27-192.168.0.33=====192.168.0.199-192.168.1.0/24
192.168.1.64/27-192.168.0.50=====192.168.0.199-192.168.1.0/24
and attach 192.168.1.0/27 to 192.168.0.199 host, enable forwarding

For debugging (i don't have enough machines, so my secure_gw is host from
his .1.xx/27 net) i do:
on 192.168.0.33 (192.168.1.33):
ip a a 192.168.1.33/27 dev eth0
ip r r 192.168.1.0/24 via 192.168.0.199 dev ipsec0 src 192.168.1.33
on 192.168.0.50 (192.168.1.65):
ip a a 192.168.1.65/27 dev eth0
ip r r 192.168.1.0/24 via 192.168.0.199 dev ipsec0 src 192.168.1.33
on 192.168.0.199 (192.168.1.1):
ip a a 192.168.1.1/27 dev eth0
ip r r 192.168.1.32/27 via 192.168.0.33 dev ipsec0 src 192.168.1.1
ip r r 192.168.1.64/27 via 192.168.0.50 dev ipsec0 src 192.168.1.1

now you can ping
from 192.168.1.33 to 192.168.1.1 (simple test)
from 192.168.1.65 to 192.168.1.1 -"-
from 192.168.1.33 to 192.168.1.65 via two tunnels at the same time.

after some changes you can do it with 192.168.x.0/24 networks and
192.168.0.0/16 in replacement to 192.168.1.0/24 in my config.

I hope this was explaned in a simple way :)
may be this was already done by someone... excuse for noise on the list..
but i remark, that it's better than three tunnel, 'cause clients may not
to know other lan address.... it's usefull with roadwarrior clients, who
can talk via central office net then both connected to office.

If this config doesn't conflicting with something, why not to add it to
docs? If it does, let me know please.
If you have any comments, send them please.
thx.

PoltoS/

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

Next message: Kevin Gerbracht: "Re: [Users] Routing Problem (perhaps simple, but not for me)"
Previous message: Elmar Grote: "[Users] bintec x1200 -> freeswan"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:20:26 CEST