[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
IPSEC and routing
I have a question about IPSEC and routing tables.
Consider following typical scenario: grey network A* connected to router A wish
to work with grey network B* behind router B. It is done with typical rules
without any gre tunnels - ipsec.conf is tuned in two lines:
spdadd B* A* any -P in ipsec esp/tunnel/B-A/require;
spdadd A* B* any -P out ipsec esp/tunnel/A-B/require;
This make routers to create a tunnel and pass any traffic into it. Working
pretty fine and fast.
Once I wished network A* to connect to router B . The only way not to write
many IPSEC rules is to make routers use their internal address when sending to
other network. I've tried to do it with routing tables:
route add -net A* B.1
It works, it works pretty fine, but this scenario make B* hosts work slow.
Check this out:
B router send packet to A* network - ok, it uses internal address, because of
route table and packet flow into tunnel. OK.
Then - host in B* network send a packet to network A* and router B puts a
re-route packet into network before packet is really flow into tunnel, just
because of route table. This works pretty slow.
So, now I have two working scenarios - i put string into route table and my
router A can talk to router B between internal network adresses. Or I remove
routing rule and network A* can talk to network B*.
How can I combine that things? Let networks talk to each other and to routers
and routers between themselves? In other words - how can I set source address
to some network without crushing routing itself?
Wrote a pretty long question, sorry :)
Main Index |
Thread Index |