W liście z śro, 03-03-2004, godz. 12:07, Richard Atterer pisze: > Later, when network number 42 has been set up to use 10.0.42.0/24, you only > need to update the DNS entry of ipsec42.mydomain.net and all other LANs > should be able to use it. (New IPSec links will be set up on demand once > anyone tries to connect to the new network.)
This looks interesting. I didn't see in doc anythig about "on demand" connections. Doc states that during startup, all tunnels are started, making startup very long. Additionally, I don't need all tunnels permanently open, when there is no trafic. Every LAN need to have possibility to connect to another, but may never use most of them. Typically, there will be few outgoing connections per LAN. > Obviously, an alternative would be to have one central node which acts as > as a router between any two LANs. This will be much easier to maintain, I > don't know if the resulting single point of failure and possibly lower > performance are a problem for you. Each of the 100 LANs would just route > all 10.0.0.0/16 addresses to the central node, and only the central node > would be trusted, so you don't have to mess with CAs etc... Not acceptable due to the traffic and reliability. best regards Jarek
