Subject: IPSec question - regarding esp/tunnel mode.
To: None <firstname.lastname@example.org>
From: J. Buck Caldwell <email@example.com>
Date: 07/11/2003 11:46:58
I'm setting up a large IPSec VPN WAN using NetBSD-1.6.1. After playing
around quite a bit, I think I've got it working well, but I'm wondering
about a few things.
Consider this network: Corporate, with SDSL Internet providing a real
IP4 address to interface ex0, NAT 192.168/16 behind ex1. Cisco router at
192.168.0.250 routing Frame Relay out to 20 different branches, each
with their own 192.168.x/24.
To replace this, we are giving several of the branches (but not all) a
broadband (mostly Cable) connection, and a NetBSD box to do NAT, DHCP,
DNS, and VPN. Each branch will retain their existing 192.168.x/24
private network. Each branch will have a IPSec tunnel to each other
branch that has a broadband connection, all traffic for those left on
frame will go to 192.168.0.1 (Corporate's gateway).
First of all, I did a bad thing - I assumed that traffic would only be
encrypted over the tunnel - and I ended up with encrypted traffic not
being decrypted because it's destination address was outside of the
192.168.0/24. So, lots of additional spdadd's later, I've got it all
working. Now I'm looking to make it effecient.
Given Branch #1 (192.168.1/24) having a public IP of 126.96.36.199, and
Corporate (192.168.0/24) having a public IP of 188.8.131.52), and Branch
#2 (192.168.3/24) having public 184.108.40.206:
Can I have a rule on the Corporate side that says:
spdadd 192.168.0.0/16 192.168.1.0/24 any -P out ipsec
spdadd 192.168.1.0/24 192.168.0.0/16 any -P in ipsec
spdadd 192.168.0.0/16 192.168.2.0/24 any -P out ipsec
spdadd 192.168.2.0/24 192.168.0.0/16 any -P in ipsec
Note the different netmasks - I want to be able to send traffic
encrypted from 192.168.1.1 (router) to 192.168.0.1, who decrypts it,
then forwards it on to 192.168.0.250 to be routed to, say, 192.168.3.1,
still on the Frame Relay.
On the Branch #1:
spdadd 192.168.1.0/24 192.168.0.0/16 any -P out ipsec
spdadd 192.168.0.0/16 192.168.1.0/24 any -P in ipsec
spdadd 192.168.1.0/24 192.168.2.0/24 any -P out ipsec
spdadd 192.168.2.0/24 192.168.1.0/24 any -P in ipsec
Note the first pair of rules have a /16 - In other words, I want any
traffic that doesn't have a direct tunnel built to go to 220.127.116.11 for
processing, but still have those that have better-fitting netmasks to go
So, how far off am I? Please CC: replies, as I am off-list.