[ale] Multi-point VPN

[Jeff Hubbs]

Bao -

Along your original line of thought, though, could IPSec in n1, n2, and n3
all be programmed to use the other two as gateways?  That would basically
make them all peers, but I'm worried that they might all just explode with
looping traffic if I pulled a stunt like that.

- Jeff

-----Original Message-----
From: Jeff Hubbs 
Sent: Friday, June 01, 2001 2:51 PM
To: Bao C. Ha; Jeff Hubbs; ale at ale.org
Subject: RE: [ale] Multi-point VPN


Bao -

That does seem to solve my too-many-boxes problem, but there are some issues
that that approach won't get me around.

First, I don't want l1-l3 communications to be throttled by the latency and
speed of n2, nor do I want a failure of n2 to isolate l1, l2, and l3 from
each other.  Second, I'm concerned that these liabilities will grow worse as
n > 3.  For this particular potential project, I can see n as high as 8-10.


Basically, I need an arbitrarily large number of "peer" VPN nodes
("gateways," if you prefer) such that no one node is special.

- Jeff

-----Original Message-----
From: Bao C. Ha [mailto:baoha at sensoria.com]
To: ale at ale.org
Sent: Friday, June 01, 2001 2:37 PM
To: 'Jeff Hubbs'; ale at ale.org
Subject: RE: [ale] Multi-point VPN



It would FreeS/WAN.

You can setup multiple IPSec connections from a FreeS/WAN
machine.  The routing table has to be updated properly so
it knows where to send the packets.

For example, you have three locations: l1, l2, and l3.  Put
one machine at each location: n1, n2, and n3.  Set up IPSec
to connect n1<->n2 and n2<->n3.  Setting up n2 as the IPSec
gateway for the other two: n1 and n3.  n1 and n3 will now 
see each other by tunneling through n2.

Bao

> -----Original Message-----
> From: owner-ale at ale.org [mailto:owner-ale at ale.org]On Behalf Of Jeff
> Hubbs
> Sent: Friday, June 01, 2001 11:11 AM
> To: ale at ale.org
> Subject: [ale] Multi-point VPN
> 
> 
> Setting aside all the high-dollar options, what is the current
> state-of-the-art w.r.t. multipoint VPNs?
> 
> My objective is to establish encrypted tunnels over the 
> Internet such that
> networks in three or more separate locations can be joined, either as
> separate subnets or all together as a single Class B network.
> 
> I have looked at FreeS/WAN, but it's not clear to me that it 
> isn't just
> one-point-to-one-point.  What I don't want do have to do, in 
> order to join
> three locations together, is to place two FreeS/WAN machines 
> in one location
> and one in each of the other two locations.  I'd hate to have 
> to set up 2(n
> - 1) FreeS/WAN machines for n locations.  I'd prefer an 
> arrangement that
> only required one box in each location.
> 
> Does this exist yet?  Can someone throw me a bone here?
> 
> - Jeff
> --
> To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" 
> in message body.
> 
--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.