Re: ipsecctl setting up multiple SAs

Fri, 24 Nov 2006 02:28:20 -0800 

On Fri, Nov 24, 2006 at 09:45:45AM +0000, Brian Candler wrote:
> Looking at this, it seems that the last entry in /etc/ipsec.conf has taken
> precedence over the others.
> 
> Is there a way to achieve what I'm trying to do, either using ipsecctl, or
> manually configuring isakmpd?

To answer my own question: inspired by the output of ipsecctl, I wrote a
perl program (attached) to generate a suitable isakmpd.conf (also attached),
and this appears to work just fine.

It would be nice if ipsecctl could do this too. It could easily generate the
lid-addr-port and rid-addr-port sections; the only slightly awkward part is
having to generate the Connections list, i.e.

[phase 2]
Connections=IPsec-addr-port-addr-port,IPsec-addr-port-addr-port,...

Regards,

Brian.

[demime 1.01d removed an attachment of type text/x-perl]
[Phase 1]
10.1.1.1=peer-10.1.1.1

[peer-10.1.1.1]
Phase=1
Address=10.1.1.1
Authentication=mypresharedkey
Configuration=mm-10.1.1.1

[mm-10.1.1.1]
EXCHANGE_TYPE=ID_PROT
Transforms=3DES-MD5-GRP2

[qm-10.1.1.6-10.1.1.1]
EXCHANGE_TYPE=QUICK_MODE
Suites=QM-ESP-TRP-3DES-MD5-SUITE

[Phase 2]
Connections=\
IPsec-10.1.1.6-10000-10.1.1.1-1701,\
IPsec-10.1.1.6-10001-10.1.1.1-1701,\
IPsec-10.1.1.6-10002-10.1.1.1-1701,\
IPsec-10.1.1.6-10003-10.1.1.1-1701

[IPsec-10.1.1.6-10000-10.1.1.1-1701]
Phase=2
ISAKMP-peer=peer-10.1.1.1
Configuration=qm-10.1.1.6-10.1.1.1
Local-ID=lid-10.1.1.6-10000
Remote-ID=rid-10.1.1.1-1701

[IPsec-10.1.1.6-10001-10.1.1.1-1701]
Phase=2
ISAKMP-peer=peer-10.1.1.1
Configuration=qm-10.1.1.6-10.1.1.1
Local-ID=lid-10.1.1.6-10001
Remote-ID=rid-10.1.1.1-1701

[IPsec-10.1.1.6-10002-10.1.1.1-1701]
Phase=2
ISAKMP-peer=peer-10.1.1.1
Configuration=qm-10.1.1.6-10.1.1.1
Local-ID=lid-10.1.1.6-10002
Remote-ID=rid-10.1.1.1-1701

[IPsec-10.1.1.6-10003-10.1.1.1-1701]
Phase=2
ISAKMP-peer=peer-10.1.1.1
Configuration=qm-10.1.1.6-10.1.1.1
Local-ID=lid-10.1.1.6-10003
Remote-ID=rid-10.1.1.1-1701

[lid-10.1.1.6-10000]
ID-type=IPV4_ADDR
Address=10.1.1.6
Protocol=17
Port=10000

[lid-10.1.1.6-10001]
ID-type=IPV4_ADDR
Address=10.1.1.6
Protocol=17
Port=10001

[lid-10.1.1.6-10002]
ID-type=IPV4_ADDR
Address=10.1.1.6
Protocol=17
Port=10002

[lid-10.1.1.6-10003]
ID-type=IPV4_ADDR
Address=10.1.1.6
Protocol=17
Port=10003

[rid-10.1.1.1-1701]
ID-type=IPV4_ADDR
Address=10.1.1.1
Protocol=17
Port=1701

Reply via email to