Homer Parker wrote:
Firewall AUm...there should be no race condition in the assignment of ipsecN interface numbering. This is done by the ipsec software. Normally, there is a single ipsec logical interface, bound to your external, upstream interface...multiple tunnels can use the same virtual ipsec interface (for instance, it looks you have two tunnels established already: 192.168.2.0/24 & 192.168.1.0/24). If for some reason you have IPSec tunnels that leave your router on more than one physical interface (rare, but possible), you will have multiple ipsec? interfaces, but AFAIK, there is no way to "automatically" create this sort of setup. If there is (perhaps %defaultroute is more sophisticated than I am aware), and you're worried about which I/F is assigned to which ipsec? virtual interface, just hard-code it in your ipsec.conf file, ie:
3: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:30:1b:09:d3:ee brd ff:ff:ff:ff:ff:ff
inet 64.216.xxx.xxx/xx brd 64.216.105.127 scope global eth0
4: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:40:f4:5e:e1:57 brd ff:ff:ff:ff:ff:ff
inet 10.0.0.2/24 brd 10.0.0.255 scope global eth1
5: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:02:e3:15:c9:11 brd ff:ff:ff:ff:ff:ff
inet 10.0.1.254/24 brd 10.0.1.255 scope global eth2
14: ipsec0: <NOARP,UP> mtu 16260 qdisc pfifo_fast qlen 10
link/ether 00:30:1b:09:d3:ee brd ff:ff:ff:ff:ff:ff
inet 64.216.xxx.xxx/xx brd 64.216.105.127 scope global ipsec0
15: ipsec1: <NOARP> mtu 0 qdisc noop qlen 10
link/ipip (The person using the other tunnel is currently out of town, and has the
firewall shut off)
# ip route
64.216.xxx.0/25 dev eth0 proto kernel scope link src 64.216.xxx.xxx 64.216.xxx.0/25 dev ipsec0 proto kernel scope link src 64.216.xxx.xxx
10.0.0.0/24 dev eth1 proto kernel scope link src 10.0.0.2 10.0.1.0/24 dev eth2 proto kernel scope link src 10.0.1.254 192.168.2.0/24 via 64.216.xxx.zzz dev ipsec0 192.168.1.0/24 via 64.216.xxx.zzz dev ipsec0 default via 64.216.xxx.yyy dev eth0
Firewall A is at the office. Secret has a couple of people working on
stuff Private has no access to, but Secret can see the file server on
Private. Firewall A needs to be in Secret, Firewall B needs to be in
Private. Everything works as I want, but there is a poetential race
condition if the firewall reboots, conectivity lost, whatever. The
connection that was ipsec0 may end up ipsec1 if it's second to get a
connection. I'm looking through the docs, as I thought I saw something
about an interface option for ipsec.conf, but I'm thinking it was for what
interface to allow tunnels to bind to. Would that also allow me to specify
the tunnel name (ipsec0, etc) in the area where I set up the connection as
well? I'm needing to make sure that upon reconnection, that everyone gets
the right tunnel. Thanks!
interfaces="ipsec0=eth1 ipsec1=ppp0"
...as described in the ipsec.conf man page:
http://leaf.steinkuehler.net/devel/cstein/Packages/man/IPSec1.91/manpage.d/ipsec.conf.5.html
--
Charles Steinkuehler
[EMAIL PROTECTED]
-------------------------------------------------------
This sf.net email is sponsored by: To learn the basics of securing your web site with SSL, click here to get a FREE TRIAL of a Thawte Server Certificate: http://www.gothawte.com/rd524.html
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
