[ale] Multi-point VPN

Bao C. Ha baoha at sensoria.com
Fri Jun 1 16:33:06 EDT 2001



You will have to look at this as a network problem.
It is not an IPSec problem.  You will need at least 
one router in place to route these packets.  You can
have multiple routers with dynamic routing protocols 
like OSPF/BGP4.  It will scale since that is exactly
what the internet looks like.  That will solve the
reliability problem.  It does not solve the
performance issue since it depends on the CPUs on
these routers to decrypt/encrypt packets going
through them.  

The network topology maps almost the same as a
private WAN network linked through leased lines.
They are also using (Point-to-Point Protocol) PPP
with routers in places.

Bao

> -----Original Message-----
> From: Jeff Hubbs [mailto:Jhubbs at niit.com]
> Sent: Friday, June 01, 2001 11:51 AM
> To: Bao C. Ha; Jeff Hubbs; ale at ale.org
> Subject: RE: [ale] Multi-point VPN
> 
> 
> Bao -
> 
> That does seem to solve my too-many-boxes problem, but there 
> are some issues
> that that approach won't get me around.
> 
> First, I don't want l1-l3 communications to be throttled by 
> the latency and
> speed of n2, nor do I want a failure of n2 to isolate l1, l2, 
> and l3 from
> each other.  Second, I'm concerned that these liabilities 
> will grow worse as
> n > 3.  For this particular potential project, I can see n as 
> high as 8-10.
> 
> 
> Basically, I need an arbitrarily large number of "peer" VPN nodes
> ("gateways," if you prefer) such that no one node is special.
> 
> - Jeff
> 
> -----Original Message-----
> From: Bao C. Ha [mailto:baoha at sensoria.com]
> Sent: Friday, June 01, 2001 2:37 PM
> To: 'Jeff Hubbs'; ale at ale.org
> Subject: RE: [ale] Multi-point VPN
> 
> 
> 
> It would FreeS/WAN.
> 
> You can setup multiple IPSec connections from a FreeS/WAN
> machine.  The routing table has to be updated properly so
> it knows where to send the packets.
> 
> For example, you have three locations: l1, l2, and l3.  Put
> one machine at each location: n1, n2, and n3.  Set up IPSec
> to connect n1<->n2 and n2<->n3.  Setting up n2 as the IPSec
> gateway for the other two: n1 and n3.  n1 and n3 will now 
> see each other by tunneling through n2.
> 
> Bao
> 
> > -----Original Message-----
> > From: owner-ale at ale.org [mailto:owner-ale at ale.org]On Behalf Of Jeff
> > Hubbs
> > Sent: Friday, June 01, 2001 11:11 AM
> > To: ale at ale.org
> > Subject: [ale] Multi-point VPN
> > 
> > 
> > Setting aside all the high-dollar options, what is the current
> > state-of-the-art w.r.t. multipoint VPNs?
> > 
> > My objective is to establish encrypted tunnels over the 
> > Internet such that
> > networks in three or more separate locations can be joined, 
> either as
> > separate subnets or all together as a single Class B network.
> > 
> > I have looked at FreeS/WAN, but it's not clear to me that it 
> > isn't just
> > one-point-to-one-point.  What I don't want do have to do, in 
> > order to join
> > three locations together, is to place two FreeS/WAN machines 
> > in one location
> > and one in each of the other two locations.  I'd hate to have 
> > to set up 2(n
> > - 1) FreeS/WAN machines for n locations.  I'd prefer an 
> > arrangement that
> > only required one box in each location.
> > 
> > Does this exist yet?  Can someone throw me a bone here?
> > 
> > - Jeff
> > --
> > To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" 
> > in message body.
> > 
> 
--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.





More information about the Ale mailing list