Gunther Schadow wrote:
> I would shut up. But so far I have not seen proof for a complex
> VPN setup with KAME that does work.
We use our X-Bone software (http://www.isi.edu/xbone/) to frequently
create and remove complex overlays (tens of nodes in various topologies)
with dynamic routing and IPsec. It can be done with KAME, but it is
tricky.
> If anyone on this list has successfully set up a VPN with multiple
> remote sites, please contact me so I can ask you questions about
> how you've done it. I promise to write a HOWTO as soon as I could
> make it work. But so far, multiple IPsec tunnels to subnets just
> don't work together well.
The trick is to use IPsec transport mode + IPIP tunnels (gif devices)
*or* IPsec tunnel mode. If you start to mix them, you get into all kinds
of grey areas, where things depend on the order of instantiation, for
example.
For simple VPNs, IPsec tunnel mode is easiest. Its main shortcoming (in
the current state of implementation) is that IPsec tunnels are not
represented in or synchronized with the routing table - i.e. they are
invisible to routing.
Some people use gif tunnels to force routing to route packets into an
IPsec tunnel. This is a bad hack IMO, since you basically create a
duplicate (non-IPsec) tunnel between to endpoints, which as a
side-effect adds a routing table entry. Packets for that route get
intercepted and IPsec'ed, and never really go over the gif tunnel.
The IMO cleaner approach is to use IPsec transport mode on a gif tunnel.
All tunneling is handled by the gif device, and IPsec is completely
optional (i.e. you can set up the gif tunnels without any IPsec first,
and add transport mode SAs later once your VPN gif tunnel topology
works). There's an ID with more details:
ftp://ftp.isi.edu/internet-drafts/draft-touch-ipsec-vpn-01.txt
Lars
--
Lars Eggert <[EMAIL PROTECTED]> Information Sciences Institute
http://www.isi.edu/larse/ University of Southern California
S/MIME Cryptographic Signature
