On Thu, 9 Apr 2015 17:24:52 +0000 (UTC) Scott Bonar <sbo...@gmail.com> wrote:
> Timo Teras <timo.teras@...> writes: > > This is the only setup I've been using. That is having wildcard 0/0 > > policies to protect all traffic. > > > > I generally prefer the wildcard policy setup; but I can also > > understand that in some circumstances having node-to-node specific > > policies might be preferable. Unfortunately I have no experience > > with that. > > Thanks for the reply. Unfortunately this solution falls down if you > have multiple spokes behind the same NAT since IPSec does not know > which tunnel to send the NHRP packet to. > > Without the NAT, I config the HUB's IPsec with "generate_policy > unique" and that solves it. This is a limitation with the current code. generate_policy will not fully solve the issue. There's several cases where things will not work properly even with that config option. So sorry, multiple spokes behind same public IP is currently not supported. Though, generate_policy might be useful if you have other devices behind the vpnc that want to talk using GRE to internet. /Timo ------------------------------------------------------------------------------ BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT Develop your own process in accordance with the BPMN 2 standard Learn Process modeling best practices with Bonita BPM through live exercises http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_ source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF _______________________________________________ opennhrp-devel mailing list opennhrp-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/opennhrp-devel
