Hi,
Currently at the company I work for we have a fairly large (almost 100 end-points) hub-and-spoke VPN network with a mix of Juniper Netscreens and Fortinet Fortigate firewalls as well as 1 OpenBSD firewall running at my house. We do not use policy-based VPNs but rather route-based which simplifies management substantially. For those that are not familiar with route-based VPNs - they are essentially point-to-point IPSEC connections which use virtual tunnel interfaces on the devices at each end of the tunnel. Once an IPSEC connection is made between the two devices you can uses firewall rules to filter traffic on these interfaces as well as route networks through them. A lot of banks use this approach as they need to encrypt connections internally as well as externally. At this time we aren't using any dynamic routing on the VPN network but plan to change this as this would simply things one step further. Juniper has a brief explanation of this here: http://www.juniper.net/products/integrated/secure_dynamic_vpns.pdf Is it possible to achieve this with OpenBSD? I know OpenBSD has a pseudo-device called enc0 which you can filter traffic on using pf but is it possible to use this device for routing traffic using static or dynamic routing? If this feature is not yet feasible, would this be considered for a future release? I appreciate any feedback. Thanks, -Chris ----------------------------------------------------------- Chris Jones, Sr. Systems & Network Engineer CDot Networks Inc.- www.cdot.ca Suite 224-2323 Quebec St. Vancouver, B.C. V5T 4S7 E: [EMAIL PROTECTED] T: 604-484-4222 Ext. 101 F: 604-648-9645 PGP key fingerprint = 32B3 C5B9 0555 F6A0 E7CF C6AA 23C2 B568 782E FD46
