Tom Eastep wrote: >>You need four additional SPD entries: >> >>Traffic from site1->site2 use tunnel from site1 to fw >>Traffic from site1->site2 use tunnel from fw to site2 >>Traffic from site2->site1 use tunnel from site2 to fw >>Traffic from site2->site1 use tunnel from fw to site1 >> > >But note that if you are clever, you should be able to handle an >unlimited number of sites with just four policies.
I believe a common trick is to configure each remote site to use, not just the hubs' local subnet, but a whole block, as the target of the VPN tunnel. Eg : site1 -> hub target 192.168.0.0/16 site2 -> hub target 192.168.0.0/16 hub -> site1 target 192.168.25.0/24 etc That way, there is only one 'rule' at site 1 which sends all traffic (except it's own local subnet) for the 192.168.0.0/16 block to the hub. The hub then re-distributes the traffic as required. It's easily scalable as you don't need to modify any sites (apart from the hub) as you add or remove other sites. Obviously, the two ends of each tunnel have to match. Apologies for the 'vague' terminology, but I've only done this with 'appliance' routers from manufacturers that use their own versions of the dictionary ! ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don't miss this year's exciting event. There's still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
