IPsec: The same srcid, dstid and peer for multiple tunnels
Hi, Is it possible to have two or more subnets, each configured with the same srcid, dstid and peer? Currently I cannot make it work. It works only for the first subnet in the roadwarior config file. Is is possible at all, no matter what IPsec implementation I would like to use? # router: /etc/ipsec.conf(5) ike passive esp tunnel \ from 172.16.0.0/16 to any \ srcid net4511.example.com ike passive esp tunnel \ from 192.168.1.0/24 to any \ srcid net4511.example.com ike passive esp tunnel \ from 192.168.2.0/24 to any \ srcid net4511.example.com ike passive esp tunnel \ from 192.168.3.0/24 to any \ srcid net4511.example.com # roadwarior: /etc/ipsec.conf(5) ike dynamic esp tunnel \ from egress to 172.16.0.0/16 \ peer net4511.example.com \ srcid x40.openbsd.home.lan dstid net4511.example.com ike dynamic esp tunnel \ from egress to 192.168.3.0/24 \ peer net4511.example.com \ srcid x40.openbsd.home.lan dstid net4511.example.com Both systems are not older than: # sysctl -n kern.version OpenBSD 4.4-current (GENERIC) #1050: Wed Sep 10 12:18:05 MDT 2008 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC -- best regards q#
Re: IPsec: The same srcid, dstid and peer for multiple tunnels
On Fri, Nov 21, 2008 at 02:52:53PM +, Mikolaj Kucharski wrote: > Hi, > > Is it possible to have two or more subnets, each configured with the > same srcid, dstid and peer? Currently I cannot make it work. It works > only for the first subnet in the roadwarior config file. Is is possible > at all, no matter what IPsec implementation I would like to use? Thanks Mitja. To resolve my problem config on the router should look like: # router: /etc/ipsec.conf(5) ike passive esp tunnel \ from { \ 172.16.0.0/16 \ 192.168.1.0/24 \ 192.168.2.0/24 \ 192.168.3.0/24 \ } to any \ srcid net4511.example.com Roadwariors don't need to change anything. They can have multiple tunnels defined separetly. > # roadwarior: /etc/ipsec.conf(5) > ike dynamic esp tunnel \ > from egress to 172.16.0.0/16 \ > peer net4511.example.com \ > srcid x40.openbsd.home.lan dstid net4511.example.com > ike dynamic esp tunnel \ > from egress to 192.168.3.0/24 \ > peer net4511.example.com \ > srcid x40.openbsd.home.lan dstid net4511.example.com -- best regards q#
Re: IPsec: The same srcid, dstid and peer for multiple tunnels
On 2008-11-21, Mikolaj Kucharski <[EMAIL PROTECTED]> wrote: > On Fri, Nov 21, 2008 at 02:52:53PM +, Mikolaj Kucharski wrote: >> Hi, >> >> Is it possible to have two or more subnets, each configured with the >> same srcid, dstid and peer? Currently I cannot make it work. It works >> only for the first subnet in the roadwarior config file. Is is possible >> at all, no matter what IPsec implementation I would like to use? > > Thanks Mitja. To resolve my problem config on the router should look > like: > > # router: /etc/ipsec.conf(5) > ike passive esp tunnel \ > from { \ > 172.16.0.0/16 \ > 192.168.1.0/24 \ > 192.168.2.0/24 \ > 192.168.3.0/24 \ > } to any \ > srcid net4511.example.com There is no difference between the two router configs, this is exactly equivalent to the previous one you posted.. you can see for yourself by examining output from "ipsecctl -nvf "