From: Bohdan V. <bo...@bo...> - 2004-05-25 15:08:23
|
On Tue, May 25, 2004 at 04:26:16PM +0200, Michal Ludvig wrote: > Internet <--> Gateway A ---/-----------\--- Gateway D <--> NET 3 > (10.0.1.1) | Radio | (10.1.0.4) (10.11.0.0/16) > | Ethernet | > | very | > | insecure | > | medium | > NET 1 <--> Gateway B ---\-----------/--- Gateway C <--> NET 2 > (10.2.0.0/16) (10.0.1.2) (10.1.0.3) (10.10.1.0/24) >>>> How would I achieve my task? >>> You need to define tunnel policies as well. E.g. for connecting Net1 and >>> Net2 set this on Gateway B: >>> spdadd 10.2.0.0/16 10.10.1.0/24 any -P out ipsec >>> esp/tunnel/10.0.1.2-10.1.0.3/require; >> I do not understand the semantics of this tunnel/x-y/ notation, could >> you explain it? > My example said: connection between gateways 10.0.1.2 and 10.1.0.3 that > can carry traffic from network 10.2.0.0/16 to 10.10.1.0/24. So, would the following figure work [G/W B]: spdadd 0.0.0.0/0 0.0.0.0/0 any -P out ipsec esp/tunnel/10.0.1.2-10.1.0.3/require; spdadd 0.0.0.0/0 0.0.0.0/0 any -P in ipsec esp/tunnel/10.0.1.3-10.1.0.2/require; By work, I mean "encrypt" all outgoing traffic with NEXTHOP=10.1.0.3, and "decrypt" all incoming traffic coming from 10.1.0.3 ? If not, how would it work? Thank you, Bohdan. -- unca ore suplicando cargas mais leves, mas, sim, ombros mais fortes. -- Philips Brooks |