Hi, apologies if it's been talked about until blue, but I'm all
manpage/google/list-searched out on this.
Using the old adage of Central Office and Branch Offices looking for
secure connectivity:
- My old and outdated understanding (last time I was involved in
planning a VPN was quite a while back) the only proper way to achieve
Branch to Branch communication was using a star or full mesh solution.
- It's my understanding that this is no longer the case, with certain
strategies like Cisco's DMVPN etc allowing Branch to Branch
communication in a Hub and Spoke style VPN. Branch to Branch traffic
will be rare for me, but it is necessary.
So, my question is this - what are the current best practices for
setting up a hub and spoke topology using OpenBSD, allowing for
traffic to securely flow from Branch to Branch on occasion without
using a full mesh topology. If it's at all possible... (network
description below)
What am I missing to route from Branch to Branch? Do I need to set
aliases on the Central site? Do I need to add gre to the mix? gif?
The network will consist (for the sake of discussion anyway) of
- OpenBSD 4.2-current devices for all gateways
- isakmp automatic keying (so no manual flows, right?) using publickey
authentication. A bit of additional security via pf only allowing
related traffic from a static list of IPs. Please feel free to tell me
know if I should really head down the certificate path.
ipsec.conf files are simple, and already functional from Branch -
Central, ie:
ike esp from a.b.c.d to e.f.g.h
ike esp from s.t.u.v/24 to w.x.y.z/24 peer e.f.g.h
(This will obviously need changing to reflect the greater class A that
all branches share, but that's my next worry...)
If I add additional lines to ipsec.conf reflecting the class C subnet
of another branch, ipsecctl -sa does show flows, I just can't actually
get packets through.
pf will set skip on enc0
Thanks for your time. I can send actual pf.conf and ipsec.conf if you
like, but I've been changing them around to mess with this so who
knows what's current.
Cheers, an apologies for the long winded newbie question.
visc
