Hey,
Can you UDP encapsulate the IPSEC ESP packets ?
I believe most IPSEC servers and clients can support this feature, which
also helps when going through NAT gateways.
http://www.faqs.org/rfcs/rfc3948.html
http://publib.boulder.ibm.com/iseries/v5r2/ic2924/index.htm?info/rzaja/rzajaudpencap.htm
Michael
Martin Hedenfalk wrote:
Hello misc,
I'm having problems with two IPsec tunnels from two different peers
behind the same NAT, to the same responder. All hosts are running
OpenBSD 4.1, including the NAT:ing gateway. One peer can connect just
fine, but when the other tries to establish a tunnel (with a different
tunneled network), the first SA is just deleted. The two peers are now
continuously "competing". I get a lot of INVALID_COOKIE messages from
isakmpd.
It's the same problem as reported in this post:
http://archives.neohapsis.com/archives/openbsd/2007-05/0628.html
However, the "Shared-SADB" parameter mentioned doesn't have any effect for me.
I've sort of tracked this down to a call to sa_delete() in
ipsec_handle_leftover_payload() in src/sbin/isakmpd/ipsec.c. This
function calls sa_lookup_by_peer() which apparently matches both of my
SAs. I disabled the sa_delete() loop and now both of my SAs stay up
fine, but I'm not really sure what I've done.
Does anyone (developer?) have any thoughts about this?
TIA
/Martin
--
Michael Gale
Red Hat Certified Engineer
Network Administrator
Pason Systems Corp.
"What we need are more people who specialize in the impossible." -
Theodore Roethke