Hi,
host A and host B are connected through IPsec. Additionally we have road
warriors that directly connect to Host B. Unfortunately we can not
define an IP-range from where these road warriors connect thus we have
to use the range "to any".
/etc/ipsec.conf:
Host A:
ike esp from 192.168.1.1/24 to 10.1.0.0/16 \
local 1.1.1.1 peer 2.2.2.2 \
srcid foo.bar.com
Host B:
ike esp from 10.128.0.0/16 to 192.168.1.1/24 \
local 2.2.2.2 peer 1.1.1.1 \
srcid bar.foo.com
# Road Warrior
ike dynamic esp from 10.1.0.0/16 to any \
main auth hmac-md5 enc 3des group modp1024 \
quick auth hmac-md5 enc 3des group modp1024 \
srcid bar.foo.com
Initial start and setting up of SA's works fine. We are facing problems
when Host A and B have to rekey (default 20Min). I see Invalid Cookie
messages and NEGOTIATION Error messages. We have an outage of a few
minutes after the old SA's are timed out. At some point the systems seem
to recover.
Can this problem occur because Host B has overlapping IP-Ranges within
the configuration? Is there a different way to configure this - e.g.
negated ranges like "to !192.168.1.1/24?
Thx,
Mischa
