Re: Big VPN
Hi, CCing the list again because other people might have cleverer ideas. I
hope you don't mind, Jaroslaw.
On Wed, Mar 03, 2004 at 11:36:27AM +0100, Jaros?aw Tabor wrote:
> That's OK. But what about routing ? How to inform other nodes, about new
> subnet ? I think, that this will require some kind of dynamic routing and
> IPSec on demand. But, as I see from freeswan and openswan doc, this isn't
> supported.
Hmm, you are right... The only solution I see ATM is to pre-configure an
appropriate amount of subnets on each LAN's IPSec router in advance, say
200. :-/ LAN number n gets the network 10.0.n.0/24, and its IPSec router is
set up as ipsecn.mydomain.net.
Later, when network number 42 has been set up to use 10.0.42.0/24, you only
need to update the DNS entry of ipsec42.mydomain.net and all other LANs
should be able to use it. (New IPSec links will be set up on demand once
anyone tries to connect to the new network.)
Obviously, an alternative would be to have one central node which acts as
as a router between any two LANs. This will be much easier to maintain, I
don't know if the resulting single point of failure and possibly lower
performance are a problem for you. Each of the 100 LANs would just route
all 10.0.0.0/16 addresses to the central node, and only the central node
would be trusted, so you don't have to mess with CAs etc...
Cheers,
Richard
--
__ _
|_) /| Richard Atterer | GnuPG key:
| \/¯| http://atterer.net | 0x888354F7
¯ '` ¯
Reply to:
- References:
- Big VPN
- From: Jaroslaw Tabor <jarek@srv.pl>
- Re: Big VPN
- From: "I.R. van Dongen" <vdongen@hetisw.nl>
- Re: Big VPN
- From: Richard Atterer <richard@list04.atterer.net>
- Re: Big VPN
- From: Jarosław Tabor <jarek@srv.pl>
- Re: Big VPN
- From: Richard Atterer <richard@list04.atterer.net>