NetBSD-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

IPSEC and routing



Hello,

I have a question about IPSEC and routing tables.

Consider following typical scenario: grey network A* connected to router A wish 
to work with grey network B* behind router B. It is done with typical rules 
without any gre tunnels - ipsec.conf is tuned in two lines: 

spdadd B* A* any -P in ipsec esp/tunnel/B-A/require;
spdadd A* B* any -P out ipsec esp/tunnel/A-B/require;

This make routers to create a tunnel and pass any traffic into it. Working 
pretty fine and fast.

Once I wished network A* to connect to router B . The only way not to write 
many IPSEC rules is to make routers use their internal address when sending to 
other network. I've tried to do it with routing tables:

route add -net A* B.1

It works, it works pretty fine, but this scenario make B* hosts work slow. 
Check this out: 

B router send packet to A* network - ok, it uses internal address, because of 
route table and packet flow into tunnel. OK.
Then - host in B* network send a packet to network A* and router B puts a 
re-route packet into network before packet is really flow into tunnel, just 
because of route table. This works pretty slow.

So, now I have two working scenarios - i put string into route table and my 
router A can talk to router B between internal network adresses. Or I remove 
routing rule and network A* can talk to network B*.

How can I combine that things? Let networks talk to each other and to routers 
and routers between themselves? In other words - how can I set source address 
to some network without crushing routing itself?

Wrote a pretty long question, sorry :)

-- 
Sincerelly yours


Home | Main Index | Thread Index | Old Index