Re: hub and spoke VPN???

[Philipp Buehler <lists@fips.de>]

On 29/04/2002, Hakan Olsson <ho@crt.se> wrote Cc misc@openbsd.org:
> In routing terms, typically, the "spoke" networks default-route via the
> VPN, and the "hub" just does normal IP routing (default to the Internet).
> Traffic matching the tunnels (or SPD entries) are tunneled to their
> various spoke networks.

Can you show such a configuration? 

I was not able to create aggregated routing entries (within isakmpd.conf)
in a setup like a simple star.

Let's say [A-D] are branch offices, and X is the central gate.

Since the branch offices use their Internet connection for public
Internet aswell, I cannot use default routes via the VPN tunnels.

All branch offices have a /16 or /24 out of 172.16/12, so I tried
to configure on A-D a remote-net-id as a subnet of 172.16/12 and
on X the appropriate branch prefixes, like 172.17/16.

Basically "hoping" that the routing of local addresses within
a branch is more specific (say, has longer prefix masks).

Since my time was short, and it didnt worked out in first place,
I switched to fully define the remote networks. But this sucks
in sense of new branches, if 'E' is added, A-D,X have to be
updated.

Any thoughts?

ciao
-- 
Philipp Buehler, aka fips | sysfive.com GmbH | BOfH | NUCH | <double-p> 

#1: Break the clue barrier!
#2: Already had buzzword confuseritis ?