ipsec between three networks
Hi list.
Currently I'm using a simple config to connect two networks
over the Internet, ipsec.conf from $net2 side looks like this:
net1 = "{ 192.168.1.0/24, 192.168.11.0/24 }"
net2 = "{ 192.168.2.0/24, 192.168.22.0/24, 192.168.33.0/24 }"
flow esp from $net2 to $net1 peer x.x.x.x
esp from y.y.y.y to x.x.x.x spi 0xdeadbeef:0xbeefdead \
auth hmac-sha2-512 enc blowfish \
authkey file "/root/akey.local:/root/akey.remote" \
enckey file "/root/ekey:/root/ekey"
Suppose I have third endpoint in the Internet
with public IP z.z.z.z and network 192.168.3.0/24.
What is the way to establish extra tunnel with third endpoint?
I need to be able to reach $net1 and $net2 networks from
$net3 with is 192.168.3.0/24 and vice versa.
Is it enough to create tunnel between $net3 and $net2
to reach $net1 from $net3 or I need to setup two tunnels
on each endpoint?
I doubt if such config work:
net1 = "{ 192.168.1.0/24, 192.168.11.0/24 }"
net2 = "{ 192.168.2.0/24, 192.168.22.0/24, 192.168.33.0/24 }"
net3 = "{ 192.168.3.0/24 }"
flow esp from $net2 to $net1 peer x.x.x.x
esp from y.y.y.y to x.x.x.x spi 0xdeadbeef:0xbeefdead \
auth hmac-sha2-512 enc blowfish \
authkey file "/root/akey.local:/root/akey.remote" \
enckey file "/root/ekey:/root/ekey"
flow esp from $net2 to $net3 peer z.z.z.z
esp from y.y.y.y to z.z.z.z spi 0xdeadbeef:0xbeefdead \
auth hmac-sha2-512 enc blowfish \
authkey file "/root/akey.local3:/root/akey.remote3" \
enckey file "/root/ekey3:/root/ekey3"
Re: ipsec between three networks
lilit-aibolit mail.ru> writes: > Suppose I have third endpoint in the Internet > with public IP z.z.z.z and network 192.168.3.0/24. > What is the way to establish extra tunnel with third endpoint? > I need to be able to reach $net1 and $net2 networks from > $net3 with is 192.168.3.0/24 and vice versa. > > Is it enough to create tunnel between $net3 and $net2 > to reach $net1 from $net3 or I need to setup two tunnels > on each endpoint? if all sites are not directly connected to each other, you'll have to add routes in various places. my current working configuration has 3 sites; each site is connected to the others, and routing is handled via ospfd.
Re: ipsec between three networks
OSPF is not right protocol if you scale to more than 3 sites and want influence routing. BGP will do a better job in this situation. > On 27 jan. 2016, at 03:39, Dewey Hylton wrote: > > my current working configuration has 3 sites; each site is connected to the > others, and routing is handled via ospfd.
Re: ipsec between three networks
for us, ospf works fine. and in our testing, bgp was much slower to respond to network events. each of our sites has a pair of openbsd boxes clustered via carp. each site has two different isps. this adds up to quite a few different paths to/from each site. on multiple occasions, we've received calls from our providers regarding outages on isp links that we use by default (weighted via ospf) that we weren't yet aware of because ospf just worked as it should have and nobody had noticed. of course, we now monitor such things, but the point is that ospf has been great for us in this configuration. On Thu, Jan 28, 2016 at 2:30 AM, mxb wrote: > OSPF is not right protocol if you scale to more than 3 sites and want > influence routing. > BGP will do a better job in this situation. > > On 27 jan. 2016, at 03:39, Dewey Hylton wrote: > > my current working configuration has 3 sites; each site is connected to the > others, and routing is handled via ospfd.
