[leaf-user] IPSec tunnels

Homer Parker Thu, 14 Nov 2002 22:07:29 -0800

        I'm having a bit of fun with a kinda unique setup... Let's see if I can
explain this where someone besides me understands what I'm talking about:



Firewall A
64.216.xxx.xxx eth0     Public

10.0.0.0/24 eth1        Private

10.0.1.0/24 eth2        Secret

Firewall B
192.168.1.0/24          Talks to Secret

Firewall C
192.168.2.0/24          Talks to Private

Firewall A

3: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:30:1b:09:d3:ee brd ff:ff:ff:ff:ff:ff
    inet 64.216.xxx.xxx/xx brd 64.216.105.127 scope global eth0
4: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:40:f4:5e:e1:57 brd ff:ff:ff:ff:ff:ff
    inet 10.0.0.2/24 brd 10.0.0.255 scope global eth1
5: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:02:e3:15:c9:11 brd ff:ff:ff:ff:ff:ff
    inet 10.0.1.254/24 brd 10.0.1.255 scope global eth2
14: ipsec0: <NOARP,UP> mtu 16260 qdisc pfifo_fast qlen 10
    link/ether 00:30:1b:09:d3:ee brd ff:ff:ff:ff:ff:ff
    inet 64.216.xxx.xxx/xx brd 64.216.105.127 scope global ipsec0
15: ipsec1: <NOARP> mtu 0 qdisc noop qlen 10
    link/ipip 
(The person using the other tunnel is currently out of town, and has the
firewall shut off)


# ip route
64.216.xxx.0/25 dev eth0  proto kernel  scope link  src 64.216.xxx.xxx 
64.216.xxx.0/25 dev ipsec0  proto kernel  scope link  src 64.216.xxx.xxx
10.0.0.0/24 dev eth1  proto kernel  scope link  src 10.0.0.2 
10.0.1.0/24 dev eth2  proto kernel  scope link  src 10.0.1.254 
192.168.2.0/24 via 64.216.xxx.zzz dev ipsec0 
192.168.1.0/24 via 64.216.xxx.zzz dev ipsec0 
default via 64.216.xxx.yyy dev eth0 


        Firewall A is at the office. Secret has a couple of people working on
stuff Private has no access to, but Secret can see the file server on
Private. Firewall A needs to be in Secret, Firewall B needs to be in
Private. Everything works as I want, but there is a poetential race
condition if the firewall reboots, conectivity lost, whatever. The
connection that was ipsec0 may end up ipsec1 if it's second to get a
connection. I'm looking through the docs, as I thought I saw something
about an interface option for ipsec.conf, but I'm thinking it was for what
interface to allow tunnels to bind to. Would that also allow me to specify
the tunnel name (ipsec0, etc) in the area where I set up the connection as
well? I'm needing to make sure that upon reconnection, that everyone gets
the right tunnel. Thanks!

--- 
Homer Parker

http://www.homershut.net
telnet://bbs.homershut.net

msg10999/pgp00000.pgp
Description: PGP signature

[leaf-user] IPSec tunnels

Reply via email to