Eric Baenen wrote:
I originally tried setting up five separate IPSEC VPN channels between the core
firewall and the lab 8 firewall - each one assigned to a separate subnet in Lab
8 - but none of them worked. Based on the IPSEC VPN log entries it seemed the
firewall was getting confused about which key to use with which channel. All
of the VPN links had the same local and remote gateways.
When I disabled all but the VPN channel between the core subnet and
192.168.100.x - that link came up and works fine. Activate a second and
neither works.
This is a known limitation of the current WebGUI. The IPSEC
infrastructure is perfectly capable of doing multiple phase2 negotiation
(one per subnet) after a single phase1 (mutual authentication of the two
endpoints), but the xml-config/web-interface is not. I once had some
patches, but only to filter.inc (no user interface).
Try toggling 'Prefer old IPsec SAs' in the advanced config (on one or
both sides), it might benefit your situation (or not at all :).
Angelo Turetta
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
