Re: IPSec SPD
Brian A Seklecki (Mobile) wrote: Suppose our remote office uses the 10.1.1.0/24 network, and the whole company uses the 10.0.0.0/8 network. How do we set up the SPD entries to encrypt traffic to the headquarters and back? I do hub a spoke config just like this using OpenBSD and Cisco VPN3k using /24s at the edge and /16s at the core. All works well. Better than full mesh. I just ran into a small bug with the new Ipsec stack in OpenBSD where I had to have a null policy -- otherwise traffic with destination routes for the locally connected /24 would accidentally be fwd'd across the tunnel (because ipsec tunnel evaluation happens earlier in ip_output(), which is non-standard) spdadd 10.0.0.0/8 10.1.1.0/24 ... spdadd 10.1.1.0/24 10.0.0.0/8 ... Thank you Brian, this works. I should not have worried. On FreeBSD 6.2 it works even without any null policy (I think you meant the none policy). -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:[EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPSec SPD
On Fri, 2007-10-26 at 16:55 +0700, Victor Sudakov wrote: Colleagues, Suppose our remote office uses the 10.1.1.0/24 network, and the whole company uses the 10.0.0.0/8 network. How do we set up the SPD entries to encrypt traffic to the headquarters and back? I do hub a spoke config just like this using OpenBSD and Cisco VPN3k using /24s at the edge and /16s at the core. All works well. Better than full mesh. I just ran into a small bug with the new Ipsec stack in OpenBSD where I had to have a null policy -- otherwise traffic with destination routes for the locally connected /24 would accidentally be fwd'd across the tunnel (because ipsec tunnel evaluation happens earlier in ip_output(), which is non-standard) ~BAS spdadd 10.0.0.0/8 10.1.1.0/24 ... spdadd 10.1.1.0/24 10.0.0.0/8 ... is not a good idea, is it? Thanks in advance for any input. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]