Max IPSEC tunnels - Networking

This is a discussion on Max IPSEC tunnels - Networking ; I'm trying to verify the max number of IPSEC tunnels that my OpenSuSE 10.3 box can support. Since I can't get hundreds of peer IPs, does any one have any recommendation(s) on how I might go about doing that? I ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: Max IPSEC tunnels

  1. Max IPSEC tunnels

    I'm trying to verify the max number of IPSEC tunnels that my OpenSuSE
    10.3 box can support. Since I can't get hundreds of peer IPs, does any
    one have any recommendation(s) on how I might go about doing that?

    I have the basic IPSEC stuff working for a handful associations on my
    private network (10 hosts) but looking for a way to scale this further up.

    TIA.

  2. Re: Max IPSEC tunnels

    Am Tue, 16 Sep 2008 11:56:47 -0700 schrieb John Shepard:

    > I'm trying to verify the max number of IPSEC tunnels that my OpenSuSE
    > 10.3 box can support. Since I can't get hundreds of peer IPs, does any
    > one have any recommendation(s) on how I might go about doing that?


    depends on you netmasks

  3. Re: Max IPSEC tunnels

    Burkhard Ott wrote:
    > Am Tue, 16 Sep 2008 11:56:47 -0700 schrieb John Shepard:
    >
    >> I'm trying to verify the max number of IPSEC tunnels that my OpenSuSE
    >> 10.3 box can support. Since I can't get hundreds of peer IPs, does any
    >> one have any recommendation(s) on how I might go about doing that?

    >
    > depends on you netmasks


    Can you please provide some more details?
    e.g., do i setup multiple IP logical address with different netmasks?

    Since I'm on a private network so I can pretty much use any IP/netmask
    though I prefer to be on a truly private 192.*/169.* etc network.

  4. Re: Max IPSEC tunnels

    Am Fri, 19 Sep 2008 10:00:43 -0700 schrieb John Shepard:

    > Burkhard Ott wrote:
    >> Am Tue, 16 Sep 2008 11:56:47 -0700 schrieb John Shepard:
    >>
    >>> I'm trying to verify the max number of IPSEC tunnels that my OpenSuSE
    >>> 10.3 box can support. Since I can't get hundreds of peer IPs, does any
    >>> one have any recommendation(s) on how I might go about doing that?

    >>
    >> depends on you netmasks

    >
    > Can you please provide some more details?
    > e.g., do i setup multiple IP logical address with different netmasks?


    192.168.0.1/32 == 192.168.1.1/32 -> 1 tunnel 1 host
    192.168.0.0/24 == 192.168.1.0/24 -> 1 tunnel 254 hosts
    192.168.0.0/16 == 192.168.1.0/16 -> no tunnel, doesn't work because
    routing or you setup host routes manually, but usually that isn't that
    what you want.

    You also can mix tunnels:

    192.168.0.1/32 == 10.0.0.0/24 -> 1 tunnel 1 host can reach 254 host on the
    one site and 254 hosts can reach 1 host on the other site.
    If you don't use AH you're able to masquerade behind 192.168.0.1/32 etc.

    It always depends on what you need.

    > Since I'm on a private network so I can pretty much use any IP/netmask
    > though I prefer to be on a truly private 192.*/169.* etc network.


    You should use only RFC1918 IP's, because every traffic to a tunnel
    endpoint will be encrypted.

    cheers

+ Reply to Thread