On Fri, Nov 17, 2006 at 12:42:48AM +0100, Mitja wrote:
> Hello,
>
> I just need another look on this project.
>
>
> ISP router (x.x.12.153)
> ^
> |
> v
> bge0 (x.x.12.154)
> |
> [OpenBSD router1] --------------- bge1 (172.16.15.6)
> | t |
> em1 u 172.16.15.5
> | n | -> ISPs MPLS
> | n 172.16.16.5
> | e | (not same office location)
> allocated public IPs l bge1 (172.16.16.6) --- [OpenBSD router2]
> x.x.180.192/27 |
> em1 (2 addresses from
> public IPs)
Please format for 80 or, preferably, 72 columns in the future.
> Theory:
> 1.Build a tunnel
> ROUTER1:
> cat /etc/hostname.gif0
> tunnel 172.16.15.6 172.16.16.6
> up
>
> ROUTER2:
> cat /etc/hostname.gif0
> tunnel 172.16.16.6 172.16.15.6
> up
I'd go with IPsec, and have no experience with gif, but this could work.
> 2.Build a bridge between tunnels
> ROUTER1:
> cat /etc/bridgename.bridge0
> add gif0
> add em1
> up
>
> ROUTER2:
> cat /etc/bridgename.bridge0
> add gif0
> add em1
> up
Why? Nothing is on the same subnet, so why a bridge?
> 3.Secure the tunnel (after I have a working bridge)
Security should be step 0. (I.e., depending on whether or not the
network is actually trusted, gif tunnels never will be secure.)
> 4.Set net.inet.ip.forwarding=1
> net.inet.etherip.allow=1
> 4 reboot
>
> In theory this should work, but obviusly I forgot something. If I
> assign an IP address from allocated public addresses to both em1 nics
> should see some kind of traffic? How should I set routes on this type
> of configuration?
Call me an ipsecctl fanboy, but I can see an easier solution. You get a
lot of security features for free, too - something like
ike esp from x.x.180.192/27 to x.x.x.x peer 172.16.16.16
(in /etc/ipsec.conf) comes to mind.
Joachim
