start topology "hub" ipsec vpn / routing?

From: tariq_rashid@lineone.net
Date: 10/05/01


To: freebsd-security@freebsd.org
From: tariq_rashid@lineone.net
Date: Fri, 05 Oct 2001 12:23:38 +0100


Good afternoon all!

Is the following theoretically possible?

Star topology VPN:

      subnet--GW----- ------GW--subnet
                    | |
                    | |
                    | |

                     VPN
 subnet--GW----- "hub" ------GW--subnet

                    | |
                    | |
                    | |
      subnet--GW----- ------GW--subnet

that is, each remote site ipsec gateway (freebsd 4.4R running isakmpd, not racoon due to dynamic
IP allocation) only has a tunnel to the central hub.

the esential point is that once the traffic from a protected subnet emerges at the VPN "hub" the routing
tables of this hub then determine wthe next ipsec gateway hop and the packets are then re-encrypted and sent
throug the next tunnel.

this way, only the central vpn hub needs to have its routing tables maintained. (i realise that if teh hub
goes down the whol evpn goes down!)

the usual method requires each vpn gatway to be configured with knowledge of every other gateway and subnet.
thus not very scaleable.

am i right or sorely mistaken?...

any ideas or experiences would be appreciated!

tariq

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message



Relevant Pages

  • Re: start topology "hub" ipsec vpn / routing?
    ... have built my own "VPN distro" with FreeBSD, to automate almost anything, and make it simple to admin (I have about 12 ... > Star topology VPN: ... > IP allocation) only has a tunnel to the central hub. ... > tables of this hub then determine wthe next ipsec gateway hop and the packets are then re-encrypted and sent ...
    (FreeBSD-Security)
  • Re: start topology "hub" ipsec vpn / routing?
    ... >> that is, each remote site ipsec gateway (freebsd 4.4R running isakmpd, not racoon due to dynamic ... >> IP allocation) only has a tunnel to the central hub. ... >> tables of this hub then determine wthe next ipsec gateway hop and the packets are then re-encrypted and sent ... only the central vpn hub needs to have its routing tables maintained. ...
    (FreeBSD-Security)
  • Re: Need VPN access from FreeBSD to Windows-fronted VPN
    ... OS platforms with the same pptpclient, on FreeBSD ... yield a working VPN. ... currently listed nameservers with ones that the Windows ... The only problem I have now is that the VPN tunnel closes randomly after ...
    (comp.unix.bsd.freebsd.misc)
  • Re: VPN links using dynamic IPs
    ... well in VPN there is always a "Caller" side and "Host" side. ... when the connection is established and that is the one actually used for the ... I shouldn't have even put the whole hub and spoke setup part> into this posting and just put forward my question of how to connect two> servers via RRAS and ISA if they have dynamic IPs. ... > The reason that I need this is that I'm running a portal farm with three> servers, 2 acting as front end web servers and the 3rd as the index server,> if the hub goes down the portal is still up but the indexing thus search is> unavailable. ...
    (microsoft.public.windows.server.networking)
  • Problems with NAT on gif interface for VPN
    ... I'm having a problem getting nat to work on a gif interface. ... goal here is to have a FreeBSD host (which is the gateway for a home ... network) connect to a VPN using a "client vpn" setup and masquerade ...
    (freebsd-net)