Lazo wrote:
>
> I have read that freeswan works between two e-smith servers,
> but could it be modified to work between four e-smith!!
>
> The Idea is to connect all the remote offices to ours, the
> main office and the three remote ones, could this be done or
> I have to look foward to a hardware solution?
>
> Thanks
This is a better question for the FreeS/WAN list, but here's my 2 cents.
From a FreeS/WAN config standpoint (I use it on a seperate firewall, not with SME as a gateway) the typical way to do this is to create a web of connections between each site that needs to talk. It's not as bad a maintenance nightmare as you would expect since all 4 servers can have the same ipsec.conf listing all connections. You might need to comment out the auto= lines for the connections that don't apply on each box, but I don't think so.
To do the spokes to a hub model, I've read of a bug/feature you can take advantage of by defining the spokes as subnets of the hub. For example:
hub network defined in ipsec.conf as 192.168.0.0/16 and the spokes as 192.168.1.0/24, 192.168.2.0/24, 192.168.3.0/24, etc. This is supposed to fool it so the routing works, but that is not what it is intended to do.
The VPN links are not like hardwire connections that you just need to setup the proper routing. As I understand it, you shouldn't be able to route from one spoke thru the hub to another over the VPN tunnels.
All that said, I have never tried it, but there have been discussions of doing the hub/spoke on the FreeS/WAN list. I personally manage all the ipsec.conf files centrally and distribute them via scp when updates are needed.
- Todd
8 Replies
717 Views