I've just been looking at setting up ipsec with multiple endpoints
(zyxel 661h, fwiw: the basic connectivity is ok, though I am growing
to loathe their web gui and lack of plaintext config).
It would be convenient not to wire the remote peers down to static
IP addresses, but if I do something like this...
# @0
ike passive esp from 10.1.10.0/24 to 10.1.44.100/24 \
quick auth hmac-sha1 enc aes group grp2 \
srcid me.mylan.net dstid net.100 psk 22222
# @1
ike passive esp from 10.1.10.0/24 to 10.1.44.101/24 \
quick auth hmac-sha1 enc aes group grp2 \
srcid me.mylan.net dstid net.101 psk 33333
the following peer config sections (and others) are generated:
@0 C set [Phase 1]:Default=peer-default force
C set [peer-default]:Phase=1 force
C set [peer-default]:Authentication=22222 force
C set [peer-default]:Configuration=mm-default force
C set [peer-default]:ID=me.mylan.net-ID force
C set [peer-default]:Remote-ID=default-ID force
C set [default-ID]:ID-type=FQDN force
C set [default-ID]:Name=net.100 force
@1 C set [Phase 1]:Default=peer-default force
C set [peer-default]:Phase=1 force
C set [peer-default]:Authentication=33333 force
C set [peer-default]:Configuration=mm-default force
C set [peer-default]:ID=me.mylan.net-ID force
C set [peer-default]:Remote-ID=default-ID force
C set [default-ID]:ID-type=FQDN force
C set [default-ID]:Name=net.101 force
obviously having the same names, the first is overwritten by the second.
Would I be totally going down the wrong route if I were to change
the hardcoded -default and default- section names in ipsecctl/ike.c
to something based on dstid?
