[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
hub and spoke VPN???
I'm new to this maillist and fairly new to *BSD. I'm quite experienced as
an administrator of Linux, Solaris and FireWall-1 firewalls.
I have a problem or idea that I hope OpenBSD can solve for me or actually
the company I'm managing the networks for.
I would like to have some 'hub and spoke' VPNs, I guess IPsec. To give some
background information we have a number of offices connected via leased
lines in a star network where the main office has the corporate Internet
Now to the two problems. First vi have one office that connects to the rest
of the networks and Internet via a dial-up connection. What we would like
to do is to setup a VPN via the Internet for that office. The reason I
would like to have it as a spoke office is that we would like to just have
one access route to the Internet. With another Firewall-1 firewall at that
office I wouldn't get a spoke because FireWall-1 only support meshed VPNs.
and a FireWall-1 license cost money :-(
The second problem is that we would like to have some internal VPNs for
project environments, etc. This looks much like VLAN but today we don't
have network switches, etc in all offices that supports VLAN.
So, can I solve this problems with OpenBSD and some VPN configuration? I
have searched the maillist archives but just seen some questions where the
spokes had dynamic addresses on the "outside" and stuff like that. And the
replies often just ask why fully meshed isn't possible. In our case fully
meshed don't fit into the company policies with only one access point to
the Internet. (I know that the Internet VPN is in a way a accesses point to
the Internet, but it wouldn't look like that for the users).
Does OpenBSD have any sort of policy routing? Can I say that any packets
entering a box at one interface has to be delivered a particular interface
or VPN-tunnel? In the internal VLAN setup I would like to prevent someone
at the project networks to sneak out of the VPN to access other parts of
our internal networks without passing through the the central point for the
project networks, where we have a firewall that should manage this project