hi all
some client of ours wants to vpn�ize their network. All the remote lans are connected via 2mb link to the client backbone, main office has 34mb to the net. Well, the client is an ISP-type company, so all nodes have direct access to the net, but they want to encrypt traffic between all their offices.
Do you have to set up a meshed vpn, so that there are encrypt rules for all point to point links (so 5 nodes would have 9 encrypt rule pairs?). Or is it possible to run a single encrypt rule from each remote office to HQ, and pass traffic from one remote office to another via the HQ?
I�m thinking towards the meshed setup, otherwise how will you route traffic? It�s not like there are tunnels setup or anything?
just had another thought (whew!): would this setup work?:
src dst action target
=========================================================
grp_all_lan_nets grp_all_lan_nets encrypt all gateways
Seeing as each gateway has an encryption domain defined, which is part of the group of networks "grp_all_lan_nets", and the encrypt action is applied to all peers, each gateway will know which remote gateway to set up an SA with.
Is this right or am I babbling?
this will all be done with fw-1 on nokia, HQ will have a redundant nokia setup, and there are about 15 remote offices Europe-wide.
cheers
Corn� van Dyk
Junior Consultant Security
Dimension Data Germany
Tel: +49 6171 977 220
Mobile: +49 174 3264 793
