IPSec SPD
Brian A Seklecki (Mobile)
bseklecki at collaborativefusion.com
Fri Oct 26 08:45:01 PDT 2007
On Fri, 2007-10-26 at 16:55 +0700, Victor Sudakov wrote:
> Colleagues,
>
> Suppose our remote office uses the 10.1.1.0/24 network, and the whole
> company uses the 10.0.0.0/8 network.
>
> How do we set up the SPD entries to encrypt traffic to the
> headquarters and back?
>
I do hub a spoke config just like this using OpenBSD and Cisco VPN3k
using /24s at the edge and /16s at the core. All works well. Better
than full mesh.
I just ran into a small bug with the new Ipsec stack in OpenBSD where I
had to have a "null" policy -- otherwise traffic with destination routes
for the locally connected /24 would accidentally be fwd'd across the
tunnel (because ipsec tunnel evaluation happens earlier in ip_output(),
which is non-standard)
~BAS
> spdadd 10.0.0.0/8 10.1.1.0/24
> ...
> spdadd 10.1.1.0/24 10.0.0.0/8
> ...
>
> is not a good idea, is it?
>
> Thanks in advance for any input.
>
More information about the freebsd-questions
mailing list