[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: hub and spoke VPN???

To: Magnus Sandberg <Magnus.Sandberg@bluelabs.se>
Subject: Re: hub and spoke VPN???
From: Hakan Olsson <ho@crt.se>
Date: Mon, 29 Apr 2002 20:28:09 +0200 (MET DST)
Cc: misc@openbsd.org

Yes, it will and does. I've configured a few such networks.

Most of the "problems" with a solution such as this usually falls down to
problems in IP-routing, which basically means that by applying sane
numbering of the connected networks those problems are minimized or go
away entirely.

In routing terms, typically, the "spoke" networks default-route via the
VPN, and the "hub" just does normal IP routing (default to the Internet).
Traffic matching the tunnels (or SPD entries) are tunneled to their
various spoke networks.

The second problem can be handled in much the same way, although I expect
it to be somewhat simpler to setup than the previous. Also, depending on
the network design, it can probably be an advantage (administration-wise)
to put these tunnels on another box.

//Håkan

On Mon, 29 Apr 2002, Magnus Sandberg wrote:

> Hi,
>
> I'm new to this maillist and fairly new to *BSD. I'm quite experienced as
> an administrator of Linux, Solaris and FireWall-1 firewalls.
>
>
> I have a problem or idea that I hope OpenBSD can solve for me or actually
> the company I'm managing the networks for.
> I would like to have some 'hub and spoke' VPNs, I guess IPsec. To give some
> background information we have a number of offices connected via leased
> lines in a star network where the main office has the corporate Internet
> connection.
>
> Now to the two problems. First vi have one office that connects to the rest
> of the networks and Internet via a dial-up connection. What we would like
> to do is to setup a VPN via the Internet for that office. The reason I
> would like to have it as a spoke office is that we would like to just have
> one access route to the Internet. With another Firewall-1 firewall at that
> office I wouldn't get a spoke because FireWall-1 only support meshed VPNs.
> and a FireWall-1 license cost money :-(
>
> The second problem is that we would like to have some internal VPNs for
> project environments, etc. This looks much like VLAN but today we don't
> have network switches, etc in all offices that supports VLAN.
>
>
> So, can I solve this problems with OpenBSD and some VPN configuration? I
> have searched the maillist archives but just seen some questions where the
> spokes had dynamic addresses on the "outside" and stuff like that. And the
> replies often just ask why fully meshed isn't possible. In our case fully
> meshed don't fit into the company policies with only one access point to
> the Internet. (I know that the Internet VPN is in a way a accesses point to
> the Internet, but it wouldn't look like that for the users).
>
>
> Does OpenBSD have any sort of policy routing? Can I say that any packets
> entering a box at one interface has to be delivered a particular interface
> or VPN-tunnel? In the internal VLAN setup I would like to prevent someone
> at the project networks to sneak out of the VPN to access other parts of
> our internal networks without passing through the the central point for the
> project networks, where we have a firewall that should manage this project
> networks.
>
>
> Thanks
>
>

--
Håkan Olsson <ho@crt.se>        (+46) 708 437 337     Carlstedt Research
Unix, Networking, Security      (+46) 31 701 4264        & Technology AB

Follow-Ups:
- Re: hub and spoke VPN???
  - From: Philipp Buehler <lists@fips.de>

References:
- hub and spoke VPN???
  - From: Magnus Sandberg <Magnus.Sandberg@bluelabs.se>

Prev by Date: ntp + pf
Next by Date: Re: ntp + pf
Prev by thread: hub and spoke VPN???
Next by thread: Re: hub and spoke VPN???
Index(es):
- Date
- Thread