Re: IPSec SPD

2007-11-01 Thread Victor Sudakov 
Brian A Seklecki (Mobile) wrote:
  
  Suppose our remote office uses the 10.1.1.0/24 network, and the whole
  company uses the 10.0.0.0/8 network.
  
  How do we set up the SPD entries to encrypt traffic to the
  headquarters and back?
  
 
 I do hub a spoke config just like this using OpenBSD and Cisco VPN3k
 using /24s at the edge and /16s at the core.  All works well.  Better
 than full mesh.
 
 I just ran into a small bug with the new Ipsec stack in OpenBSD where I
 had to have a null policy -- otherwise traffic with destination routes
 for the locally connected /24 would accidentally be fwd'd across the
 tunnel (because ipsec tunnel evaluation happens earlier in ip_output(),
 which is non-standard)
 
 
  spdadd 10.0.0.0/8 10.1.1.0/24
  ...
  spdadd 10.1.1.0/24 10.0.0.0/8
  ...

Thank you Brian, this works. I should not have worried.
On FreeBSD 6.2 it works even without any null policy (I think you
meant the none policy).

-- 
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
sip:[EMAIL PROTECTED]
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: IPSec SPD

2007-10-26 Thread Brian A Seklecki (Mobile) 
On Fri, 2007-10-26 at 16:55 +0700, Victor Sudakov wrote:
 Colleagues, 
 
 Suppose our remote office uses the 10.1.1.0/24 network, and the whole
 company uses the 10.0.0.0/8 network.
 
 How do we set up the SPD entries to encrypt traffic to the
 headquarters and back?
 

I do hub a spoke config just like this using OpenBSD and Cisco VPN3k
using /24s at the edge and /16s at the core.  All works well.  Better
than full mesh.

I just ran into a small bug with the new Ipsec stack in OpenBSD where I
had to have a null policy -- otherwise traffic with destination routes
for the locally connected /24 would accidentally be fwd'd across the
tunnel (because ipsec tunnel evaluation happens earlier in ip_output(),
which is non-standard)

~BAS

 spdadd 10.0.0.0/8 10.1.1.0/24
 ...
 spdadd 10.1.1.0/24 10.0.0.0/8
 ...
 
 is not a good idea, is it? 
 
 Thanks in advance for any input.
 

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]