I opened a PR on this earlier this year. Seach my last name in query-pr. The Cisco 3000 supports SA Proposals with multiple discontiguous subnets.
~BAS On Tue, 2005-06-07 at 20:54, Tamas TEVESZ wrote: > hi, > > i have a situation where a branch office with multiple, > non-overlapping, non-aggregatable local networks need to connect to > the head office, via an ipsec tunnel. "of course", the security > gateway is also acting as a gateway to the internet (nat and the usual > collateral stuff), and, as a matter of fact, some of the "local" > networks are connected to it via openvpn (that is, it itself is a vpn > concentrator of sorts, for openvpn tunnels). > > rough sketch: > > -- branch office -- | | -- head office -- > | | > 172.16.187.0/24 - | | > 172.19.47.0/24 \ +-----------+ | | +-----------+ > +- |security gw| - (ipsec tun) - |security gw| - ... > 192.168.114.0/24 / +--------+--+ | | +-----------+ > 192.168.2.0/24 - | > \ > ---- (internet etc..) > > it may also be the case that at the head office end, there will be > more than one hosts/networks to be accessed, this is not clarified > yet. i am not in control of the head office's concentrator, but i know > that they are using a cisco 3060. > > how is this realized within isakmpd's configuration? i already have > tried putting more than one ipv4_addr_subnets into the ipsec-id > section, and even more than one ipsec-id section, but isakmpd throw > them out (not surprise). > > if this cannot be realized within isakmpd, what other options do i > have? pf route-tos/reply-tos are about the only thing i can think > of... anything else? > > tia,