IPsec: The same srcid, dstid and peer for multiple tunnels
Hi, Is it possible to have two or more subnets, each configured with the same srcid, dstid and peer? Currently I cannot make it work. It works only for the first subnet in the roadwarior config file. Is is possible at all, no matter what IPsec implementation I would like to use? # router: /etc/ipsec.conf(5) ike passive esp tunnel \ from 172.16.0.0/16 to any \ srcid net4511.example.com ike passive esp tunnel \ from 192.168.1.0/24 to any \ srcid net4511.example.com ike passive esp tunnel \ from 192.168.2.0/24 to any \ srcid net4511.example.com ike passive esp tunnel \ from 192.168.3.0/24 to any \ srcid net4511.example.com # roadwarior: /etc/ipsec.conf(5) ike dynamic esp tunnel \ from egress to 172.16.0.0/16 \ peer net4511.example.com \ srcid x40.openbsd.home.lan dstid net4511.example.com ike dynamic esp tunnel \ from egress to 192.168.3.0/24 \ peer net4511.example.com \ srcid x40.openbsd.home.lan dstid net4511.example.com Both systems are not older than: # sysctl -n kern.version OpenBSD 4.4-current (GENERIC) #1050: Wed Sep 10 12:18:05 MDT 2008 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC -- best regards q#
Re: IPsec: The same srcid, dstid and peer for multiple tunnels
On Fri, Nov 21, 2008 at 02:52:53PM +, Mikolaj Kucharski wrote:
Hi,
Is it possible to have two or more subnets, each configured with the
same srcid, dstid and peer? Currently I cannot make it work. It works
only for the first subnet in the roadwarior config file. Is is possible
at all, no matter what IPsec implementation I would like to use?
Thanks Mitja. To resolve my problem config on the router should look
like:
# router: /etc/ipsec.conf(5)
ike passive esp tunnel \
from { \
172.16.0.0/16 \
192.168.1.0/24 \
192.168.2.0/24 \
192.168.3.0/24 \
} to any \
srcid net4511.example.com
Roadwariors don't need to change anything. They can have multiple
tunnels defined separetly.
# roadwarior: /etc/ipsec.conf(5)
ike dynamic esp tunnel \
from egress to 172.16.0.0/16 \
peer net4511.example.com \
srcid x40.openbsd.home.lan dstid net4511.example.com
ike dynamic esp tunnel \
from egress to 192.168.3.0/24 \
peer net4511.example.com \
srcid x40.openbsd.home.lan dstid net4511.example.com
--
best regards
q#
Re: IPsec: The same srcid, dstid and peer for multiple tunnels
On 2008-11-21, Mikolaj Kucharski [EMAIL PROTECTED] wrote:
On Fri, Nov 21, 2008 at 02:52:53PM +, Mikolaj Kucharski wrote:
Hi,
Is it possible to have two or more subnets, each configured with the
same srcid, dstid and peer? Currently I cannot make it work. It works
only for the first subnet in the roadwarior config file. Is is possible
at all, no matter what IPsec implementation I would like to use?
Thanks Mitja. To resolve my problem config on the router should look
like:
# router: /etc/ipsec.conf(5)
ike passive esp tunnel \
from { \
172.16.0.0/16 \
192.168.1.0/24 \
192.168.2.0/24 \
192.168.3.0/24 \
} to any \
srcid net4511.example.com
There is no difference between the two router configs, this is
exactly equivalent to the previous one you posted.. you can see
for yourself by examining output from ipsecctl -nvf file
