[ previous ] [ next ] [ threads ]
 
 From:  "Dan Firac" <dan dot firac at romtelecom dot ro>
 To:  "dasz" <daszylstra at comcast dot net>, <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] Hub-And-Spoke VPN
 Date:  Sat, 4 Mar 2006 11:43:18 +0200 
Thank you!
Now it is clear.
Although m0n0wall does remote VPN access natively,
for small VPNs, Hub-and-Spoke can be emulated
using more tunnels.


----- Original Message ----- 
From: "dasz" <daszylstra at comcast dot net>
To: "Dan Firac" <dan dot firac at romtelecom dot ro>; <m0n0wall at lists dot m0n0 dot ch>
Sent: Thursday, March 02, 2006 12:27 AM
Subject: Re: [m0n0wall] Hub-And-Spoke VPN


>
> Yes, I have a small Hub/spoke setup (1 hub, 2 "spokes").  The key is that
> you have to have multiple IPSEC tunnels to the hub for each spoke.
>
> In my case I have 2 spokes, so each remote Monowall has 2 IPSEC
connections
> to the hub - 1 for traffic to the hub network, 1 for traffic through the
hub
> for the remote spoke.
>
> example:
> Hub LAN = 192.168.1.0
> Spoke 1 = 192.168.2.0
> Spoke 2 = 192.168.3.0
>
> Hub IPSEC config:
> Spoke 1 = local 192.168.1.0/24<>remote 192.168.2.0/24
>     (normal com between hub LAN and spoke 1 LAN)
> Spoke 1 = local 192.168.3.0/24<>remote 192.168.2.0/24
>     (This tells Mono that when traffic comes from spoke 2 it gets sent to
> spoke 1)
> Spoke 2 = local 192.168.1.0/24<>remote 192.168.3.0/24
>     (normal traffic between hub LAN and spoke 2 LAN)
> Spoke 2 = local 192.168.2.0/24<>remote 192.168.3.0/24
>     (this tells Mono that when traffic comes from spoke 1 it gets sent to
> spoke 2)
>
> Spoke 1 IPSEC config:  (all remote endpoints are Hub's public IP)
> Hub traffic= local 192.168.2.0/24<>remote 192.168.1.0/24
> Spoke 2 traffic = local 192.168.2.0/24<>remote 192.168.3.0/24
>
> Spoke 2 IPSEC config:  (all remote endpoints are Hub's public IP)
> Hub traffic= local 192.168.3.0/24<>remote 192.168.1.0/24
> Spoke 2 traffic = local 192.168.3.0/24<>remote 192.168.2.0/24
>
> It gets confusing . . . . I'm confusing myself just typing the above
> explanation (if anyone has a better one, please post it) - it took me
about
> an hour to wrap my brain around how it works when I first got it working.
.
> . . adding 1 spoke to the above means you have to add 1 tunnel each to the
> spokes and 5 more to the Hub - each spoke gets as many tunnels as there
are
> spokes and the hub gets the number of spokes squared in tunnels (i.e. 10
> spokes = 10 tunnels on each spoke to hub, 100 tunnels on hub).
>
> In my case I have several outside vendors that connect to the hub using
> 192.168.0.0/23 with the appropriate tunnels added to the above hub/spoke
> config . . . . . . it gets real complicated, real fast . . . . .
>
> To Monowall's developers credit one of the vendors told me that they've
> never seen anyone get the routing between sites working that quickly and
> easily!
>
> David Zylstra
> (586) 764 9858
> ----- Original Message ----- 
> From: "Dan Firac" <dan dot firac at romtelecom dot ro>
> To: <m0n0wall at lists dot m0n0 dot ch>
> Sent: Wednesday, March 01, 2006 12:02 PM
> Subject: [m0n0wall] Hub-And-Spoke VPN
>
>
> Hello all,
>
> Can m0n0wall be configured for a Hub-And-Spoke VPN with communication
> between spokes?
>
> TIA,
> Dan.
>