[63782] in North American Network Operators' Group
Re: large-scale IPSEC tunnel deployment
daemon@ATHENA.MIT.EDU (Neil J. McRae)
Fri Oct 10 05:26:50 2003
To: alex@yuriev.com (Alex Yuriev)
Date: Fri, 10 Oct 2003 10:22:14 +0100 (BST)
Cc: nanog@merit.edu
In-Reply-To: <Pine.LNX.4.44.0310092101250.4404-100000@s1.yuriev.com> from "Alex Yuriev" at Oct 09, 2003 09:05:35 PM
From: neil@DOMINO.ORG (Neil J. McRae)
Errors-To: owner-nanog-outgoing@merit.edu
> Hello,
> Does anyone have any experience with large scale production IPSEC
> tunnel deployment, where large scale is defined as over 100 net-to-net
> tunnels to different destination networks active at any time?
> If so, would such person(s) mind sharing any
> quirks/platforms/implementations for more or less automated topology
> testing/verification?
Orchestream has some of this functionality for setting the tunnels up,
you can then use the corba interface to setup management with
tools like SMARTS. The other problem is managing the keys, if you
don't have a CA it will be painful if you need to change the keys. We
have had some success with RSA's CA platform and IOS on this.
Neil.
