<< | Thread Index | >> ]    [ << | Date Index | >> ]

Subject: Re: RFC: Large dynamic CIPE VPN (2nd posting)
From: Martijn van Oosterhout <kleptog,AT,cupid,DOT,suninternet,DOT,com>
Date: Sun, 22 Oct 2000 08:04:15 +0200
In-reply-to: <39F1DA7F.DB8DBCD4@zls.de>

Christian Lademann wrote:
> 
> Hi, CIPE-experts.
> 
> I am working on an idea I had and I would like to hear your opinions and
> 
> suggestions.

> I would like to build a large-scale VPN with possibly some hundered
> peers
> that all connect to a central site over the internet. The remote boxes
> should be unattended and their CIPE-configuration should eventually be
> remotely reconfigurable.

[description of possible way of doing it]

There is one thing that may make your job a little easier. In the server 
config, if you specify the remote peer as 0.0.0.0, it will accept any 
connection that has the right static key. So the server config file
would
not need to contain the address of the client machine.

Now, depending on what your security requirements, you may be able to
keep
a static mapping between port numbers and server keys, so then you would
never need to modify the server config file at all. Or maybe just
rewrite
them all just once per day.

On a different note, one thing that would *really* help in this case
would
be being able to have one cipe daemon handle many tunnels. I know there
has been talk about this but I have no idea what is involved.

Another interesting possibility would be to hack the cipe daemon so that
instead of reading files, it read it's configuration out of a database.
If
your database also kept track of process IDs you could easily keep track
of which ones are still running and which arn't. Your CIPE SuperServer
would then do something like:

psql cipe -c "insert into connections
($ifnumber,$port,$key,$clientaddress,etc..)
ciped device=cipe-db$ifnumber
[wait for cipe to exit]
psql cipe -c "delete from connections where ifnumber=$ifnumber"

This database could be shared between multple machines. For the clients
it's
probably best to keep the individual config files.

Anyway, good luck, sounds like an interesting project...
-- 
Martijn van Oosterhout <kleptog,AT,cupid,DOT,suninternet,DOT,com>
http://cupid.suninternet.com/~kleptog/





<< | Thread Index | >> ]    [ << | Date Index | >> ]