Re: [leaf-user] IPSEC subnet routing
Troy Troy Aden wrote: Hello all, This may seem a silly question but I have not been able to find any info in any how-to or docs and I am hoping someone here can help me out. http://www.freeswan.org/freeswan_trees/freeswan-1.98b/doc/manpage.d/ipsec.conf.5.html The question is : How do I setup the IPSEC config so that I route only specific subnets over the IPSEC tunnel. Currently, I have set it up by simply using a large subnet mask that encompasses all the networks on either side of the link. (see my exmaple below) The problem is that I need to be more granular now and only route specific subnets over the link. I have played with it for awhile now and I can't seem to have more than one subnet declaration in my default conn statement. For example lets say I want only 192.168.130.0/24 and 192.168.134.0/24 to get routed over the IPSEC on router A and I only want 172.31.0.0/16 and 172.161.0.0/16 on router B. These are the only subnets I would like to be able to communicate over the IPSEC link... Is there a clean way to do this? Please have a look at my configs below and let me know how I should do this. Define a single connection for each subnet. You can use the also= statement to include common parameters. e.g. conn xx also=common_conn_params rightsubnet=10.0.0.32/27 auto=add conn comon_conn_params left=xx.yy.zz.nn leftsubnet=aa.bb.cc.dd/nn .. cheers Erich --- This SF.Net email is sponsored by: InterSystems CACHE FREE OODBMS DOWNLOAD - A multidimensional database that combines robust object and relational technologies, making it a perfect match for Java, C++,COM, XML, ODBC and JDBC. www.intersystems.com/match8 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] IPSEC subnet routing
First of all, thanks so much for the quick reply! I am sorry to bug you a second time but I need some baby steps here. Can you please give me a example with the configs I provided. I need to see the "also=common_conn_params" in terms of my config. For example, if I had a 192.168.161.0/24, 192.168.162.0/24,192.168.163.0/24, networks on router A side. And I wanted Router B to connect to ONLY those subnets. Can you please type in "exactly" what I would need on both router A (S'toon) and router B (Victoria). From that, I should be able to figure out what I need to do to be more pricise about the Router B networks within the 172.0.0.0/8 range. Again.Thanks in advance!!! Sorry to be a pain. Troy. Router A (S'toon) # basic configuration config setup # THIS SETTING MUST BE CORRECT or almost nothing will work; # %defaultroute is okay for most simple cases. interfaces=%defaultroute # Debug-logging controls: "none" for (almost) none, "all" for lots. klipsdebug=none plutodebug=none # Use auto= parameters in conn descriptions to control startup actions. plutoload=%search plutostart=%search # Close down old connection when new one using same ID shows up. uniqueids=yes # defaults for subsequent connection descriptions conn %default # How persistent to be in (re)keying negotiations (0 means very). keyingtries=0 # RSA authentication with keys from DNS. authby=secret right=135.115.157.162 rightsubnet=192.168.0.0/16 rightnexthop=135.115.157.224 pfs=yes conn block auto=ignore conn private auto=ignore conn private-or-clear auto=ignore conn clear auto=ignore conn packetdefault auto=ignore conn victoria left=24.35.38.129 leftsubnet=172.0.0.0/8 leftnexthop=24.35.38.1 esp=aes auto=start Router B (Victoria) # basic configuration config setup # THIS SETTING MUST BE CORRECT or almost nothing will work; # %defaultroute is okay for most simple cases. interfaces=%defaultroute # Debug-logging controls: "none" for (almost) none, "all" for lots. klipsdebug=none plutodebug=none # Use auto= parameters in conn descriptions to control startup actions. plutoload=%search plutostart=%search # Close down old connection when new one using same ID shows up. uniqueids=yes # defaults for subsequent connection descriptions conn %default # How persistent to be in (re)keying negotiations (0 means very). keyingtries=0 # RSA authentication with keys from DNS. authby=secret right=24.35.38.129 rightsubnet=172.0.0.0/8 rightnexthop=24.35.38.1 pfs=yes conn block auto=ignore conn private auto=ignore conn private-or-clear auto=ignore conn clear auto=ignore conn packetdefault auto=ignore conn stoon left=135.115.157.162 leftsubnet=192.168.0.0/16 leftnexthop=135.115.157.224 esp=aes auto=start -Original Message- From: Erich Titl [mailto:[EMAIL PROTECTED] Sent: Monday, November 15, 2004 2:33 PM To: Troy Aden Cc: Leaf-User (E-mail) Subject: Re: [leaf-user] IPSEC subnet routing Troy Troy Aden wrote: >Hello all, This may seem a silly question but I have not been able to find >any info in any how-to or docs and I am hoping someone here can help me out. > > http://www.freeswan.org/freeswan_trees/freeswan-1.98b/doc/manpage.d/ipsec.co nf.5.html > >The question is : How do I setup the IPSEC config so that I route only >specific subnets over the IPSEC tunnel. Currently, I have set it up by >simply using a large subnet mask that encompasses all the networks on either >side of the link. (see my exmaple below) The problem is that I need to be >more granular now and only route specific subnets over the link. I have >played with it for awhile now and I can't seem to have more than one subnet >declaration in my default conn statement. For example lets say I want only >192.168.130.0/24 and 192.168.134.0/24 to get routed over the IPSEC on router >A and I only want 172.31.0.0/16 and 172.161.0.0/16 on router B. These are >the only subnets I would like to be able to communicate over the IPSEC >link... Is there a clean way to do this? Please have a look at my configs >below and let me know how I should do this. > > Define a single connection for each subnet. You can use the also= statement to include common parameters. e.g. conn xx also=common_conn_params rightsubnet=10.0.0.32/27 auto=add conn comon_conn_params left=xx.yy.zz.nn leftsubnet=aa.bb.cc.dd/nn .. cheers Erich ---
Re: [leaf-user] IPSEC subnet routing
For the "also" parameter : # defaults for subsequent connection descriptions conn %default # How persistent to be in (re)keying negotiations (0 means very). keyingtries=0 # RSA authentication with keys from DNS. authby=secret right=135.115.157.162 rightsubnet=192.168.0.0/16 rightnexthop=135.115.157.224 pfs=yes conn block auto=ignore conn private also=block conn private-or-clear also=block conn clear also=block conn packetdefault also=block conn victoria left=24.35.38.129 leftsubnet=172.0.0.0/8 leftnexthop=24.35.38.1 esp=aes auto=start For the subnets, you can specify a leftsubnet=192.168.160/22, but the subnet 192.168.160.0/24 will be routed too. I don't known any other manner to specify several subnets for one connection. You can perhaps specify several connections : conn victoria_1 left=24.35.38.129 leftsubnet=192.168.161.0/24 leftnexthop=24.35.38.1 esp=aes auto=start conn victoria_2 also = victoria_1 leftsubnet=192.168.162.0/24 conn victoria_3 also = victoria_1 leftsubnet=192.168.163.0/24 But I never tested it, and I find it not very "elegant"... Fabrice Troy Aden wrote: First of all, thanks so much for the quick reply! I am sorry to bug you a second time but I need some baby steps here. Can you please give me a example with the configs I provided. I need to see the "also=common_conn_params" in terms of my config. For example, if I had a 192.168.161.0/24, 192.168.162.0/24,192.168.163.0/24, networks on router A side. And I wanted Router B to connect to ONLY those subnets. Can you please type in "exactly" what I would need on both router A (S'toon) and router B (Victoria). From that, I should be able to figure out what I need to do to be more pricise about the Router B networks within the 172.0.0.0/8 range. Again.Thanks in advance!!! Sorry to be a pain. Troy. Router A (S'toon) # basic configuration config setup # THIS SETTING MUST BE CORRECT or almost nothing will work; # %defaultroute is okay for most simple cases. interfaces=%defaultroute # Debug-logging controls: "none" for (almost) none, "all" for lots. klipsdebug=none plutodebug=none # Use auto= parameters in conn descriptions to control startup actions. plutoload=%search plutostart=%search # Close down old connection when new one using same ID shows up. uniqueids=yes # defaults for subsequent connection descriptions conn %default # How persistent to be in (re)keying negotiations (0 means very). keyingtries=0 # RSA authentication with keys from DNS. authby=secret right=135.115.157.162 rightsubnet=192.168.0.0/16 rightnexthop=135.115.157.224 pfs=yes conn block auto=ignore conn private auto=ignore conn private-or-clear auto=ignore conn clear auto=ignore conn packetdefault auto=ignore conn victoria left=24.35.38.129 leftsubnet=172.0.0.0/8 leftnexthop=24.35.38.1 esp=aes auto=start Router B (Victoria) # basic configuration config setup # THIS SETTING MUST BE CORRECT or almost nothing will work; # %defaultroute is okay for most simple cases. interfaces=%defaultroute # Debug-logging controls: "none" for (almost) none, "all" for lots. klipsdebug=none plutodebug=none # Use auto= parameters in conn descriptions to control startup actions. plutoload=%search plutostart=%search # Close down old connection when new one using same ID shows up. uniqueids=yes # defaults for subsequent connection descriptions conn %default # How persistent to be in (re)keying negotiations (0 means very). keyingtries=0 # RSA authentication with keys from DNS. authby=secret right=24.35.38.129 rightsubnet=172.0.0.0/8 rightnexthop=24.35.38.1 pfs=yes conn block auto=ignore conn private auto=ignore conn private-or-clear auto=ignore conn clear auto=ignore conn packetdefault auto=ignore conn stoon left=135.115.157.162 leftsubnet=192.168.0.0/16 leftnexthop=135.115.157.224 esp=aes auto=start --- This SF.Net email is sponsored by: InterSystems CACHE FREE OODBMS DOWNLOAD - A multidimensional database that combines robust object and relational technologies, making it a perfect match for Java, C++,COM, XML, ODBC and JDBC. www.intersystems.com/match8 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] IPSEC subnet routing
Troy It is a bit confusing for me, as I am always using left for the local system, right for the remote. Assumptions S'Toon external IP address 135.115.157.162 internal networks 192.168.161.0/24 192.168.162.0/24 192.168.163.0/24 Victoria external IP address 24.35.38.129 internal network 172.0.0.0/8 Please observe the difference in auto= between the two systems, only one should start the connection. At 18:59 15.11.2004 -0600, Troy Aden wrote: >First of all, thanks so much for the quick reply! I am sorry to bug you a >second time but I need some baby steps here. >Can you please give me a example with the configs I provided. I need to see >the "also=common_conn_params" in terms of my config. >For example, if I had a 192.168.161.0/24, 192.168.162.0/24,192.168.163.0/24, >networks on router A side. And I wanted Router B to connect to ONLY those >subnets. Can you please type in "exactly" what I would need on both router A >(S'toon) and router B (Victoria). From that, I should be able to figure out >what I need to do to be more pricise about the Router B networks within the >172.0.0.0/8 range. > >Again.Thanks in advance!!! Sorry to be a pain. > >Troy. > Router A (S'toon) # basic configuration config setup # THIS SETTING MUST BE CORRECT or almost nothing will work; # %defaultroute is okay for most simple cases. interfaces=%defaultroute # Debug-logging controls: "none" for (almost) none, "all" for lots. klipsdebug=none plutodebug=none # Use auto= parameters in conn descriptions to control startup actions. plutoload=%search plutostart=%search # Close down old connection when new one using same ID shows up. uniqueids=yes # defaults for subsequent connection descriptions conn %default # How persistent to be in (re)keying negotiations (0 means very). keyingtries=0 # RSA authentication with keys from DNS. authby=secret pfs=yes conn block auto=ignore conn private auto=ignore conn private-or-clear auto=ignore conn clear auto=ignore conn packetdefault auto=ignore conn victoria right=%defaultroute left=24.35.38.129 leftsubnet=172.0.0.0/8 esp=aes auto=start conn victoria_1 also=victoria rightsubnet=192.168.161.0/24 conn victoria_2 also=victoria rightsubnet=192.168.162.0/24 conn victoria_2 also=victoria rightsubnet=192.168.163.0/24 Router B (Victoria) # basic configuration config setup # THIS SETTING MUST BE CORRECT or almost nothing will work; # %defaultroute is okay for most simple cases. interfaces=%defaultroute # Debug-logging controls: "none" for (almost) none, "all" for lots. klipsdebug=none plutodebug=none # Use auto= parameters in conn descriptions to control startup actions. plutoload=%search plutostart=%search # Close down old connection when new one using same ID shows up. uniqueids=yes # defaults for subsequent connection descriptions conn %default # How persistent to be in (re)keying negotiations (0 means very). keyingtries=0 # RSA authentication with keys from DNS. authby=secret pfs=yes conn block auto=ignore conn private auto=ignore conn private-or-clear auto=ignore conn clear auto=ignore conn packetdefault auto=ignore conn stoon right=%defaultroute rightsubnet=172.0.0.0/8 left=135.115.157.162 esp=aes auto=add conn stoon_1 also=stoon leftsubnet=192.168.161.0/24 conn stoon_1 also=stoon leftsubnet=192.168.162.0/24 conn stoon_1 also=stoon leftsubnet=192.168.163.0/24 HTH Erich THINK Püntenstrasse 39 8143 Stallikon mailto:[EMAIL PROTECTED] PGP Fingerprint: BC9A 25BC 3954 3BC8 C024 8D8A B7D4 FF9D 05B8 0A16 --- This SF.Net email is sponsored by: InterSystems CACHE FREE OODBMS DOWNLOAD - A multidimensional database that combines robust object and relational technologies, making it a perfect match for Java, C++,COM, XML, ODBC and JDBC. www.intersystems.com/match8 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] IPSEC subnet routing
Looking at my mail there are a few typos. Long live cut and paste :-( Erich Titl wrote: Troy It is a bit confusing for me, as I am always using left for the local system, right for the remote. Assumptions S'Toon external IP address 135.115.157.162 internal networks 192.168.161.0/24 192.168.162.0/24 192.168.163.0/24 Victoria external IP address 24.35.38.129 internal network 172.0.0.0/8 Please observe the difference in auto= between the two systems, only one should start the connection. At 18:59 15.11.2004 -0600, Troy Aden wrote: First of all, thanks so much for the quick reply! I am sorry to bug you a second time but I need some baby steps here. Can you please give me a example with the configs I provided. I need to see the "also=common_conn_params" in terms of my config. For example, if I had a 192.168.161.0/24, 192.168.162.0/24,192.168.163.0/24, networks on router A side. And I wanted Router B to connect to ONLY those subnets. Can you please type in "exactly" what I would need on both router A (S'toon) and router B (Victoria). From that, I should be able to figure out what I need to do to be more pricise about the Router B networks within the 172.0.0.0/8 range. Again.Thanks in advance!!! Sorry to be a pain. Troy. Router A (S'toon) # basic configuration config setup # THIS SETTING MUST BE CORRECT or almost nothing will work; # %defaultroute is okay for most simple cases. interfaces=%defaultroute # Debug-logging controls: "none" for (almost) none, "all" for lots. klipsdebug=none plutodebug=none # Use auto= parameters in conn descriptions to control startup actions. plutoload=%search plutostart=%search # Close down old connection when new one using same ID shows up. uniqueids=yes # defaults for subsequent connection descriptions conn %default # How persistent to be in (re)keying negotiations (0 means very). keyingtries=0 # RSA authentication with keys from DNS. authby=secret pfs=yes conn block auto=ignore conn private auto=ignore conn private-or-clear auto=ignore conn clear auto=ignore conn packetdefault auto=ignore conn victoria right=%defaultroute left=24.35.38.129 leftsubnet=172.0.0.0/8 esp=aes auto=start conn victoria_1 also=victoria rightsubnet=192.168.161.0/24 conn victoria_2 also=victoria rightsubnet=192.168.162.0/24 conn victoria_3 also=victoria rightsubnet=192.168.163.0/24 Router B (Victoria) # basic configuration config setup # THIS SETTING MUST BE CORRECT or almost nothing will work; # %defaultroute is okay for most simple cases. interfaces=%defaultroute # Debug-logging controls: "none" for (almost) none, "all" for lots. klipsdebug=none plutodebug=none # Use auto= parameters in conn descriptions to control startup actions. plutoload=%search plutostart=%search # Close down old connection when new one using same ID shows up. uniqueids=yes # defaults for subsequent connection descriptions conn %default # How persistent to be in (re)keying negotiations (0 means very). keyingtries=0 # RSA authentication with keys from DNS. authby=secret pfs=yes conn block auto=ignore conn private auto=ignore conn private-or-clear auto=ignore conn clear auto=ignore conn packetdefault auto=ignore conn stoon right=%defaultroute rightsubnet=172.0.0.0/8 left=135.115.157.162 esp=aes auto=add conn stoon_1 also=stoon leftsubnet=192.168.161.0/24 conn stoon_2 also=stoon leftsubnet=192.168.162.0/24 conn stoon_3 also=stoon leftsubnet=192.168.163.0/24 HTH Erich THINK Püntenstrasse 39 8143 Stallikon mailto:[EMAIL PROTECTED] PGP Fingerprint: BC9A 25BC 3954 3BC8 C024 8D8A B7D4 FF9D 05B8 0A16 --- This SF.Net email is sponsored by: InterSystems CACHE FREE OODBMS DOWNLOAD - A multidimensional database that combines robust object and relational technologies, making it a perfect match for Java, C++,COM, XML, ODBC and JDBC. www.intersystems.com/match8 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This SF.Net email is sponsored by: InterSystems CACHE FREE OODBMS DOWNLOAD - A multidimensional database that combines robust object and relational technologies, making it a perfect match for Java, C++,COM, XML, ODBC and JDBC. www.intersystems.com/match8 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sour
Re: [leaf-user] IPSEC subnet routing
Erich Titl wrote: Troy Troy Aden wrote: Hello all, This may seem a silly question but I have not been able to find any info in any how-to or docs and I am hoping someone here can help me out. http://www.freeswan.org/freeswan_trees/freeswan-1.98b/doc/manpage.d/ipsec.conf.5.html The question is : How do I setup the IPSEC config so that I route only specific subnets over the IPSEC tunnel. Currently, I have set it up by simply using a large subnet mask that encompasses all the networks on either side of the link. (see my exmaple below) The problem is that I need to be more granular now and only route specific subnets over the link. I have played with it for awhile now and I can't seem to have more than one subnet declaration in my default conn statement. For example lets say I want only 192.168.130.0/24 and 192.168.134.0/24 to get routed over the IPSEC on router A and I only want 172.31.0.0/16 and 172.161.0.0/16 on router B. These are the only subnets I would like to be able to communicate over the IPSEC link... Is there a clean way to do this? Please have a look at my configs below and let me know how I should do this. Define a single connection for each subnet. You can use the also= statement to include common parameters. e.g. conn xx also=common_conn_params rightsubnet=10.0.0.32/27 auto=add conn comon_conn_params left=xx.yy.zz.nn leftsubnet=aa.bb.cc.dd/nn .. Another option for complex routing problems with IPSec is to switch to using host-host tunnels, with another tunneling protocol on top of IPSec (typically GRE). You can then run routing protocols like RIP or BGP across the GRE tunnels, or use the kernel routing tables (rather than the IPSec configuration) to set up all your subnet routing (if it's not complex or dynamic enough to require a routing protocol). There's a nice picture of the basic idea on the Cisco website: http://www.cisco.com/warp/public/707/gre_ipsec_ospf.html#diag -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.Net email is sponsored by: InterSystems CACHE FREE OODBMS DOWNLOAD - A multidimensional database that combines robust object and relational technologies, making it a perfect match for Java, C++,COM, XML, ODBC and JDBC. www.intersystems.com/match8 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] IPSEC subnet routing
Hello again. I have fought with this for a week now and I must be missing something. First of all, if I use a conn statement that has "%defaultroute" for right=, I get an error that the statement does not exist. However, if I use a right=(IP) and rightnexthop=(gateway), the conn statement works fine. Can anyone explain this? But... Non of the conn statements below work. My guess is that the conn statements that contain the "also=" parameter must be missing something. So I added esp=aes and auto=start or auto=add depending on the side of the connection. Still no joy. Can anyone please tell me what I am doing wrong here? If you need error logs, I can provide them. Thanks in advance! Troy. -Original Message- From: Erich Titl [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 16, 2004 3:30 AM Cc: Troy Aden; Leaf-User (E-mail) Subject: Re: [leaf-user] IPSEC subnet routing Looking at my mail there are a few typos. Long live cut and paste :-( Erich Titl wrote: >Troy > >It is a bit confusing for me, as I am always using left for the local system, right for the remote. > >Assumptions > >S'Toon > >external IP address 135.115.157.162 >internal networks 192.168.161.0/24 192.168.162.0/24 192.168.163.0/24 > >Victoria >external IP address 24.35.38.129 >internal network 172.0.0.0/8 > >Please observe the difference in auto= between the two systems, only one should start the connection. > >At 18:59 15.11.2004 -0600, Troy Aden wrote: > > >>First of all, thanks so much for the quick reply! I am sorry to bug you a >>second time but I need some baby steps here. >>Can you please give me a example with the configs I provided. I need to see >>the "also=common_conn_params" in terms of my config. >>For example, if I had a 192.168.161.0/24, 192.168.162.0/24,192.168.163.0/24, >>networks on router A side. And I wanted Router B to connect to ONLY those >>subnets. Can you please type in "exactly" what I would need on both router A >>(S'toon) and router B (Victoria). From that, I should be able to figure out >>what I need to do to be more pricise about the Router B networks within the >>172.0.0.0/8 range. >> >>Again.Thanks in advance!!! Sorry to be a pain. >> >>Troy. >> >> >> > >Router A (S'toon) ># basic configuration >config setup ># THIS SETTING MUST BE CORRECT or almost nothing will work; ># %defaultroute is okay for most simple cases. >interfaces=%defaultroute ># Debug-logging controls: "none" for (almost) none, "all" for lots. >klipsdebug=none >plutodebug=none ># Use auto= parameters in conn descriptions to control startup >actions. >plutoload=%search >plutostart=%search ># Close down old connection when new one using same ID shows up. >uniqueids=yes > > ># defaults for subsequent connection descriptions >conn %default ># How persistent to be in (re)keying negotiations (0 means very). >keyingtries=0 ># RSA authentication with keys from DNS. >authby=secret >pfs=yes > >conn block >auto=ignore > >conn private >auto=ignore > >conn private-or-clear >auto=ignore > >conn clear >auto=ignore > >conn packetdefault >auto=ignore > >conn victoria >right=%defaultroute >left=24.35.38.129 >leftsubnet=172.0.0.0/8 >esp=aes >auto=start > >conn victoria_1 >also=victoria >rightsubnet=192.168.161.0/24 > >conn victoria_2 >also=victoria >rightsubnet=192.168.162.0/24 > >conn victoria_3 >also=victoria >rightsubnet=192.168.163.0/24 > > >Router B (Victoria) > ># basic configuration >config setup ># THIS SETTING MUST BE CORRECT or almost nothing will work; ># %defaultroute is okay for most simple cases. >interfaces=%defaultroute ># Debug-logging controls: "none" for (almost) none, "all" for lots. >klipsdebug=none >plutodebug=none ># Use auto= parameters in conn descriptions to control startup >actions. >plutoload=%search >plutostart=%search ># Close down old connection when new one using same ID shows up. >uniqueids=yes > > > ># defaults for subsequent connection descriptions >conn %default ># How persistent to be in (re)keying negotiations (0 means very). >keyingtries=0 ># RSA authentication with keys from DNS. >authby=secret >pfs=yes &g
Re: [leaf-user] IPSEC subnet routing
Troy Troy Aden wrote: Hello again. I have fought with this for a week now and I must be missing something. First of all, if I use a conn statement that has "%defaultroute" for right=, I get an error that the statement does not exist. However, if I use a right=(IP) and rightnexthop=(gateway), the conn statement works fine. Can anyone explain this? But... Non of the conn statements below work. My guess is that the conn statements that contain the "also=" parameter must be missing something. So I added esp=aes and auto=start or auto=add depending on the side of the connection. Still no joy. Can anyone please tell me what I am doing wrong here? If you need error logs, I can provide them. try to put the connection referencet to by the also statement at the end of your file here are the files I use, it's still 1.99 but it should not matter kerberos # /etc/ipsec.conf - FreeS/WAN IPsec configuration file # More elaborate and more varied sample configurations can be found # in FreeS/WAN's doc/examples file, and in the HTML documentation. # basic configuration config setup # THIS SETTING MUST BE CORRECT or almost nothing will work; # %defaultroute is okay for most simple cases. interfaces=%defaultroute # Debug-logging controls: "none" for (almost) none, "all" for lots. klipsdebug=none plutodebug=none #plutodebug=all # Use auto= parameters in conn descriptions to control startup actions. plutoload=%search plutostart=%search # Close down old connection when new one using same ID shows up. uniqueids=yes # defaults for subsequent connection descriptions conn %default # How persistent to be in (re)keying negotiations (0 means very). keyingtries=0 # RSA authentication with keys from DNS. authby=rsasig leftrsasigkey=%dns rightrsasigkey=%dns include /etc/ipsec.d/connections/test > /etc/ipsec.d/connections/test # # this is the barebone description of multiple connections through # the same ipsec endpoints # conntest_to_dmz also=test leftsubnet=195.141.2.160/27 auto=add conntest ike=aes esp=aes left=%defaultroute leftcert=aspcert.pem leftrsasigkey=%cert right=%any rightsubnet=10.250.99.0/24 rightrsasigkey=%cert rightid="C=CH,L=Schlieren,O=RUF Gruppe,OU=ASP Plus,CN=test.asp.ruf.ch" keylife=10m rekeymargin=3m rekeyfuzz=150% > right = remote left = local HTH Erich --- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html