Hello, I'm trying to set up multiple transport mode SAs between an OpenBSD 4.0 box and a Cisco 7301 running IOS [ultimate reason is to load test multiple L2TP over IPSEC tunnels].
Each SA is between the same two IP endpoints but specifies a different UDP port pair. I was able to get a single SA up using ipsecctl, after making this small fix: --- sbin/ipsecctl/ike.c.orig Thu Nov 23 22:48:23 2006 +++ sbin/ipsecctl/ike.c Thu Nov 23 22:48:37 2006 @@ -526,7 +526,7 @@ fprintf(fd, SET "[lid-%s]:Port=%d force\n", src->name, ntohs(sport)); if (dport) - fprintf(fd, SET "[rid-%s]:Port=%d force\n", src->name, + fprintf(fd, SET "[rid-%s]:Port=%d force\n", dst->name, ntohs(dport)); } However, what I'm trying to do now is set up multiple SAs. Here's my test config with 4 SAs, /etc/ipsec.conf.4 (the OpenBSD box is 10.1.1.6 and the Cisco is 10.1.1.1) ike esp transport proto udp from 10.1.1.6 port 10000 to 10.1.1.1 port 1701 \ main auth hmac-md5 enc 3des group modp1024 \ quick auth hmac-md5 enc 3des group none \ psk "mypresharedkey" ike esp transport proto udp from 10.1.1.6 port 10001 to 10.1.1.1 port 1701 \ main auth hmac-md5 enc 3des group modp1024 \ quick auth hmac-md5 enc 3des group none \ psk "mypresharedkey" ike esp transport proto udp from 10.1.1.6 port 10002 to 10.1.1.1 port 1701 \ main auth hmac-md5 enc 3des group modp1024 \ quick auth hmac-md5 enc 3des group none \ psk "mypresharedkey" ike esp transport proto udp from 10.1.1.6 port 10003 to 10.1.1.1 port 1701 \ main auth hmac-md5 enc 3des group modp1024 \ quick auth hmac-md5 enc 3des group none \ psk "mypresharedkey" Here's how I'm running isakmpd: # isakmpd -K -4 -v -d -L And here's how I trigger the process: # ipsecctl -F; ipsecctl -vvf /etc/ipsec.conf.4 [output pasted below] However, when I do this, only a single quick mode SA is set up. ipsecctl shows this: # ipsecctl -s all FLOWS: flow esp in proto udp from 10.1.1.1 port 1701 to 10.1.1.6 port 10003 peer 10.1.1.1 srcid 10.1.1.6/32 dstid 10.1.1.1/32 type use flow esp out proto udp from 10.1.1.6 port 10003 to 10.1.1.1 port 1701 peer 10.1.1.1 srcid 10.1.1.6/32 dstid 10.1.1.1/32 type require SAD: esp transport from 10.1.1.6 to 10.1.1.1 spi 0x09b364d2 auth hmac-md5 enc 3des-cbc \ authkey 0x... \ enckey 0x... esp transport from 10.1.1.1 to 10.1.1.6 spi 0x0a6994af auth hmac-md5 enc 3des-cbc \ authkey 0x... \ enckey 0x... # and the same SAs are shown on the Cisco side too. isakmpd says only: 093109.047718 Default isakmpd: phase 1 done: initiator id 0a010106: 10.1.1.6, responder id 0a010101: 10.1.1.1, src: 10.1.1.6 dst: 10.1.1.1 093109.056238 Default isakmpd: quick mode done: src: 10.1.1.6 dst: 10.1.1.1 'tcpdump -nxr /var/log/isakmpd.pcap' shows that only one quick mode exchange took place; crypto debug output on the Cisco shows the same. Looking at this, it seems that the last entry in /etc/ipsec.conf has taken precedence over the others. Is there a way to achieve what I'm trying to do, either using ipsecctl, or manually configuring isakmpd? Thanks, Brian Candler. P.S. I can paste the IOS config if you like, but I'm pretty sure it is correct. I can set up multiple SAs from UDP port X to UDP port 1701 under Linux using setkey and racoon from ipsec-tools, and run separate l2tpd instances over them bound to separate ports. Here is the output of ipsecctl: # ipsecctl -F; ipsecctl -vvf /etc/ipsec.conf.4 @1 C set [Phase 1]:10.1.1.1=peer-10.1.1.1 force C set [peer-10.1.1.1]:Phase=1 force C set [peer-10.1.1.1]:Address=10.1.1.1 force C set [peer-10.1.1.1]:Authentication=mypresharedkey force C set [peer-10.1.1.1]:Configuration=mm-10.1.1.1 force C set [mm-10.1.1.1]:EXCHANGE_TYPE=ID_PROT force C add [mm-10.1.1.1]:Transforms=3DES-MD5-GRP2 force C set [IPsec-10.1.1.6-10.1.1.1]:Phase=2 force C set [IPsec-10.1.1.6-10.1.1.1]:ISAKMP-peer=peer-10.1.1.1 force C set [IPsec-10.1.1.6-10.1.1.1]:Configuration=qm-10.1.1.6-10.1.1.1 force C set [IPsec-10.1.1.6-10.1.1.1]:Local-ID=lid-10.1.1.6 force C set [IPsec-10.1.1.6-10.1.1.1]:Remote-ID=rid-10.1.1.1 force C set [qm-10.1.1.6-10.1.1.1]:EXCHANGE_TYPE=QUICK_MODE force C set [qm-10.1.1.6-10.1.1.1]:Suites=QM-ESP-TRP-3DES-MD5-SUITE force C set [lid-10.1.1.6]:ID-type=IPV4_ADDR force C set [lid-10.1.1.6]:Address=10.1.1.6 force C set [rid-10.1.1.1]:ID-type=IPV4_ADDR force C set [rid-10.1.1.1]:Address=10.1.1.1 force C set [lid-10.1.1.6]:Protocol=17 force C set [rid-10.1.1.1]:Protocol=17 force C set [lid-10.1.1.6]:Port=10000 force C set [rid-10.1.1.1]:Port=1701 force C add [Phase 2]:Connections=IPsec-10.1.1.6-10.1.1.1 @3 C set [Phase 1]:10.1.1.1=peer-10.1.1.1 force C set [peer-10.1.1.1]:Phase=1 force C set [peer-10.1.1.1]:Address=10.1.1.1 force C set [peer-10.1.1.1]:Authentication=mypresharedkey force C set [peer-10.1.1.1]:Configuration=mm-10.1.1.1 force C set [mm-10.1.1.1]:EXCHANGE_TYPE=ID_PROT force C add [mm-10.1.1.1]:Transforms=3DES-MD5-GRP2 force C set [IPsec-10.1.1.6-10.1.1.1]:Phase=2 force C set [IPsec-10.1.1.6-10.1.1.1]:ISAKMP-peer=peer-10.1.1.1 force C set [IPsec-10.1.1.6-10.1.1.1]:Configuration=qm-10.1.1.6-10.1.1.1 force C set [IPsec-10.1.1.6-10.1.1.1]:Local-ID=lid-10.1.1.6 force C set [IPsec-10.1.1.6-10.1.1.1]:Remote-ID=rid-10.1.1.1 force C set [qm-10.1.1.6-10.1.1.1]:EXCHANGE_TYPE=QUICK_MODE force C set [qm-10.1.1.6-10.1.1.1]:Suites=QM-ESP-TRP-3DES-MD5-SUITE force C set [lid-10.1.1.6]:ID-type=IPV4_ADDR force C set [lid-10.1.1.6]:Address=10.1.1.6 force C set [rid-10.1.1.1]:ID-type=IPV4_ADDR force C set [rid-10.1.1.1]:Address=10.1.1.1 force C set [lid-10.1.1.6]:Protocol=17 force C set [rid-10.1.1.1]:Protocol=17 force C set [lid-10.1.1.6]:Port=10001 force C set [rid-10.1.1.1]:Port=1701 force C add [Phase 2]:Connections=IPsec-10.1.1.6-10.1.1.1 @5 C set [Phase 1]:10.1.1.1=peer-10.1.1.1 force C set [peer-10.1.1.1]:Phase=1 force C set [peer-10.1.1.1]:Address=10.1.1.1 force C set [peer-10.1.1.1]:Authentication=mypresharedkey force C set [peer-10.1.1.1]:Configuration=mm-10.1.1.1 force C set [mm-10.1.1.1]:EXCHANGE_TYPE=ID_PROT force C add [mm-10.1.1.1]:Transforms=3DES-MD5-GRP2 force C set [IPsec-10.1.1.6-10.1.1.1]:Phase=2 force C set [IPsec-10.1.1.6-10.1.1.1]:ISAKMP-peer=peer-10.1.1.1 force C set [IPsec-10.1.1.6-10.1.1.1]:Configuration=qm-10.1.1.6-10.1.1.1 force C set [IPsec-10.1.1.6-10.1.1.1]:Local-ID=lid-10.1.1.6 force C set [IPsec-10.1.1.6-10.1.1.1]:Remote-ID=rid-10.1.1.1 force C set [qm-10.1.1.6-10.1.1.1]:EXCHANGE_TYPE=QUICK_MODE force C set [qm-10.1.1.6-10.1.1.1]:Suites=QM-ESP-TRP-3DES-MD5-SUITE force C set [lid-10.1.1.6]:ID-type=IPV4_ADDR force C set [lid-10.1.1.6]:Address=10.1.1.6 force C set [rid-10.1.1.1]:ID-type=IPV4_ADDR force C set [rid-10.1.1.1]:Address=10.1.1.1 force C set [lid-10.1.1.6]:Protocol=17 force C set [rid-10.1.1.1]:Protocol=17 force C set [lid-10.1.1.6]:Port=10002 force C set [rid-10.1.1.1]:Port=1701 force C add [Phase 2]:Connections=IPsec-10.1.1.6-10.1.1.1 @7 C set [Phase 1]:10.1.1.1=peer-10.1.1.1 force C set [peer-10.1.1.1]:Phase=1 force C set [peer-10.1.1.1]:Address=10.1.1.1 force C set [peer-10.1.1.1]:Authentication=mypresharedkey force C set [peer-10.1.1.1]:Configuration=mm-10.1.1.1 force C set [mm-10.1.1.1]:EXCHANGE_TYPE=ID_PROT force C add [mm-10.1.1.1]:Transforms=3DES-MD5-GRP2 force C set [IPsec-10.1.1.6-10.1.1.1]:Phase=2 force C set [IPsec-10.1.1.6-10.1.1.1]:ISAKMP-peer=peer-10.1.1.1 force C set [IPsec-10.1.1.6-10.1.1.1]:Configuration=qm-10.1.1.6-10.1.1.1 force C set [IPsec-10.1.1.6-10.1.1.1]:Local-ID=lid-10.1.1.6 force C set [IPsec-10.1.1.6-10.1.1.1]:Remote-ID=rid-10.1.1.1 force C set [qm-10.1.1.6-10.1.1.1]:EXCHANGE_TYPE=QUICK_MODE force C set [qm-10.1.1.6-10.1.1.1]:Suites=QM-ESP-TRP-3DES-MD5-SUITE force C set [lid-10.1.1.6]:ID-type=IPV4_ADDR force C set [lid-10.1.1.6]:Address=10.1.1.6 force C set [rid-10.1.1.1]:ID-type=IPV4_ADDR force C set [rid-10.1.1.1]:Address=10.1.1.1 force C set [lid-10.1.1.6]:Protocol=17 force C set [rid-10.1.1.1]:Protocol=17 force C set [lid-10.1.1.6]:Port=10003 force C set [rid-10.1.1.1]:Port=1701 force C add [Phase 2]:Connections=IPsec-10.1.1.6-10.1.1.1