From: Michal L. <mi...@lo...> - 2004-05-25 14:26:23
|
On Tue, 25 May 2004, Bohdan Vlasyuk wrote: > On Mon, May 24, 2004 at 09:40:28AM +0200, Michal Ludvig wrote: > > >> Internet <--> Gateway A ---/-----------\--- Gateway D <--> NET 3 > >> (10.0.1.1) | Radio | (10.1.0.4) (10.11.0.0/16) > >> | Ethernet | > >> | very | > >> | insecure | > >> | medium | > >> NET 1 <--> Gateway B ---\-----------/--- Gateway C <--> NET 2 > >> (10.2.0.0/16) (10.0.1.2) (10.1.0.3) (10.10.1.0/24) > >> How would I achieve my task? > > You need to define tunnel policies as well. E.g. for connecting Net1 and > > Net2 set this on Gateway B: > > spdadd 10.2.0.0/16 10.10.1.0/24 any -P out ipsec > > esp/tunnel/10.0.1.2-10.1.0.3/require; > I do not understand the semantics of this tunnel/x-y/ notation, could > you explain it? My example said: connection between gateways 10.0.1.2 and 10.1.0.3 that can carry traffic from network 10.2.0.0/16 to 10.10.1.0/24. > Another problem with this idea that I can spot at once, is that I don't > really want NET1/NET2/NET3 addresses to appear in policies, because > either: They must be there, sorry. IPsec not only encrypts the traffic, it also provides evidence that the packet saying to come from a given IP really comes from there and wasn't forged by a third party. > a) they are numerous networks, not always easily aggregated, The number of SPDs is not limited. > and in case if Gateway A represent the whole great internet, and Then it can be 0.0.0.0/0 > b) I would want to allow users behind g/w to change addresses without my > attention and without changes in IPSec config. NAT isn't an option, is it? BTW Please always Cc the list - I may be wrong and other people can help you as well. Michal Ludvig -- * A mouse is a device used to point at the xterm you want to type in. * Personal homepage - http://www.logix.cz/michal |