[ previous ] [ next ] [ threads ]
 
 From:  "dasz" <daszylstra at comcast dot net>
 To:  "Dan Firac" <dan dot firac at romtelecom dot ro>, <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] Hub-And-Spoke VPN
 Date:  Wed, 1 Mar 2006 17:27:35 -0500 
Yes, I have a small Hub/spoke setup (1 hub, 2 "spokes").  The key is that 
you have to have multiple IPSEC tunnels to the hub for each spoke.

In my case I have 2 spokes, so each remote Monowall has 2 IPSEC connections 
to the hub - 1 for traffic to the hub network, 1 for traffic through the hub 
for the remote spoke.

example:
Hub LAN = 192.168.1.0
Spoke 1 = 192.168.2.0
Spoke 2 = 192.168.3.0

Hub IPSEC config:
Spoke 1 = local 192.168.1.0/24<>remote 192.168.2.0/24
    (normal com between hub LAN and spoke 1 LAN)
Spoke 1 = local 192.168.3.0/24<>remote 192.168.2.0/24
    (This tells Mono that when traffic comes from spoke 2 it gets sent to 
spoke 1)
Spoke 2 = local 192.168.1.0/24<>remote 192.168.3.0/24
    (normal traffic between hub LAN and spoke 2 LAN)
Spoke 2 = local 192.168.2.0/24<>remote 192.168.3.0/24
    (this tells Mono that when traffic comes from spoke 1 it gets sent to 
spoke 2)

Spoke 1 IPSEC config:  (all remote endpoints are Hub's public IP)
Hub traffic= local 192.168.2.0/24<>remote 192.168.1.0/24
Spoke 2 traffic = local 192.168.2.0/24<>remote 192.168.3.0/24

Spoke 2 IPSEC config:  (all remote endpoints are Hub's public IP)
Hub traffic= local 192.168.3.0/24<>remote 192.168.1.0/24
Spoke 2 traffic = local 192.168.3.0/24<>remote 192.168.2.0/24

It gets confusing . . . . I'm confusing myself just typing the above 
explanation (if anyone has a better one, please post it) - it took me about 
an hour to wrap my brain around how it works when I first got it working. . 
. . adding 1 spoke to the above means you have to add 1 tunnel each to the 
spokes and 5 more to the Hub - each spoke gets as many tunnels as there are 
spokes and the hub gets the number of spokes squared in tunnels (i.e. 10 
spokes = 10 tunnels on each spoke to hub, 100 tunnels on hub).

In my case I have several outside vendors that connect to the hub using 
192.168.0.0/23 with the appropriate tunnels added to the above hub/spoke 
config . . . . . . it gets real complicated, real fast . . . . .

To Monowall's developers credit one of the vendors told me that they've 
never seen anyone get the routing between sites working that quickly and 
easily!

David Zylstra
(586) 764 9858
----- Original Message ----- 
From: "Dan Firac" <dan dot firac at romtelecom dot ro>
To: <m0n0wall at lists dot m0n0 dot ch>
Sent: Wednesday, March 01, 2006 12:02 PM
Subject: [m0n0wall] Hub-And-Spoke VPN


Hello all,

Can m0n0wall be configured for a Hub-And-Spoke VPN with communication 
between spokes?

TIA,
Dan.