start topology "hub" ipsec vpn / routing?

From: tariq_rashid@lineone.net
Date: 10/05/01


To: freebsd-security@freebsd.org
From: tariq_rashid@lineone.net
Date: Fri, 05 Oct 2001 12:23:38 +0100


Good afternoon all!

Is the following theoretically possible?

Star topology VPN:

      subnet--GW----- ------GW--subnet
                    | |
                    | |
                    | |

                     VPN
 subnet--GW----- "hub" ------GW--subnet

                    | |
                    | |
                    | |
      subnet--GW----- ------GW--subnet

that is, each remote site ipsec gateway (freebsd 4.4R running isakmpd, not racoon due to dynamic
IP allocation) only has a tunnel to the central hub.

the esential point is that once the traffic from a protected subnet emerges at the VPN "hub" the routing
tables of this hub then determine wthe next ipsec gateway hop and the packets are then re-encrypted and sent
throug the next tunnel.

this way, only the central vpn hub needs to have its routing tables maintained. (i realise that if teh hub
goes down the whol evpn goes down!)

the usual method requires each vpn gatway to be configured with knowledge of every other gateway and subnet.
thus not very scaleable.

am i right or sorely mistaken?...

any ideas or experiences would be appreciated!

tariq

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message