[Openswan Users] Multi-hop IPSec

Tuomo Soini tis at foobar.fi
Mon Nov 21 06:58:01 EST 2011


On Sun, 20 Nov 2011 16:51:06 -0800
Kevin Keane (subscriptions) <subscription at kkeane.com> wrote:

> I think I may be close to solving it. I think my data center may have
> a firewall between the leaf and hub1 (the 10.0.1.0 and 10.0.2.0
> networks in the diagram below) that blocks traffic outside the two
> destinations.

No. If both can talk to hub you can build tunnels to do the whole
setup.
 
> If I remember right, IPSec does not do true tunneling. So my solution
> would be to build a network of L2TP tunnels on top of IPSec.

That is completely wrong - IPsec does real tunneling but only when your
packets match ipsec tunnel. Both ends must have two tunnels to hub, one
for hub local net, one for remote net behind hub. So if you want this
to work correctly your hub need to have 4 tunnes and both endpoints
must have 2 tunnels.

-- 
Tuomo Soini <tis at foobar.fi>
Foobar Linux services
+358 40 5240030
Foobar Oy <http://foobar.fi/>


More information about the Users mailing list