[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

hub and spoke VPN???

To: misc@openbsd.org
Subject: hub and spoke VPN???
From: Magnus Sandberg <Magnus.Sandberg@bluelabs.se>
Date: Mon, 29 Apr 2002 16:31:35 +0200
Cc: Magnus.Sandberg@bluelabs.se

Hi,

I'm new to this maillist and fairly new to *BSD. I'm quite experienced as
an administrator of Linux, Solaris and FireWall-1 firewalls.


I have a problem or idea that I hope OpenBSD can solve for me or actually 
the company I'm managing the networks for.
I would like to have some 'hub and spoke' VPNs, I guess IPsec. To give some 
background information we have a number of offices connected via leased 
lines in a star network where the main office has the corporate Internet 
connection.

Now to the two problems. First vi have one office that connects to the rest 
of the networks and Internet via a dial-up connection. What we would like
to do is to setup a VPN via the Internet for that office. The reason I
would like to have it as a spoke office is that we would like to just have
one access route to the Internet. With another Firewall-1 firewall at that 
office I wouldn't get a spoke because FireWall-1 only support meshed VPNs. 
and a FireWall-1 license cost money :-(

The second problem is that we would like to have some internal VPNs for 
project environments, etc. This looks much like VLAN but today we don't
have network switches, etc in all offices that supports VLAN.


So, can I solve this problems with OpenBSD and some VPN configuration? I 
have searched the maillist archives but just seen some questions where the 
spokes had dynamic addresses on the "outside" and stuff like that. And the 
replies often just ask why fully meshed isn't possible. In our case fully 
meshed don't fit into the company policies with only one access point to
the Internet. (I know that the Internet VPN is in a way a accesses point to
the Internet, but it wouldn't look like that for the users).


Does OpenBSD have any sort of policy routing? Can I say that any packets 
entering a box at one interface has to be delivered a particular interface 
or VPN-tunnel? In the internal VLAN setup I would like to prevent someone
at the project networks to sneak out of the VPN to access other parts of
our internal networks without passing through the the central point for the 
project networks, where we have a firewall that should manage this project 
networks.


Thanks

Follow-Ups:
- Re: hub and spoke VPN???
  - From: Hakan Olsson <ho@crt.se>

Prev by Date: Re: slow router
Next by Date: pf states not working without NAT
Prev by thread: Re: Small binaries on i386
Next by thread: Re: hub and spoke VPN???
Index(es):
- Date
- Thread