---------------------------------------------------- >From : Remko Lodder <re...@elvandar.org> To : jh...@socket.net Subject : Re: IPSec Routing Date : Sun, 22 May 2011 21:12:24 +0200
> > Basically what happends is that an IPSEC tunnel looks like this > > > Internal_A -->> Internal FW A [ FW A] External FWA ---->>> [Internet] <<<---- External FWB [FW B] Internal FW B <<-- Internal_B > External FWA [ ------------ TUNNEL ---------] External FWB [also called Phase1] > Internal_A [------------------------------------------------------------------- TUNNEL ----------------------------------------------------------] Internal_B [Also called phase2] > > The external FW's talk to eachother and make a secure pipe. The internal networks / hosts, use the secure pipe to route traffic > between them. So basically the first TUNNEL line is a big pipe, and the second TUNNEL line is packets WITHIN that first tunnel line.. (complex?) > > Comment: > > A connection is setup between the external FWA and External FWB, so that you have a secure pipe between the firewalls > to exchange data. > > In some cases you talk to the external IP and it gets processed there and onwards. > > In other cases [more likely], you setup a secondary tunnel (phase2) which enables you to talk to internal hosts on the other end. > An IPSEC session is never established between internal IP ranges (if flowing over the internet, ofcourse within the network itself > it is entirely possible). > > The IPSEC session _does_ allow you to route and send traffic to an internal IP adres over the tunnel though. > > If you can shed some more light in what you mean I might be able to help. I have setup 1000's of tunnels between mostly commercial > grade firewalls but I might assist in getting a bit further. Thank you to everyone for their help. The connection is now up and running. Our vendor had an incorrect entry in their route table. Jay _______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
