Re: isakmpd - Single Phase 1 - Multiple Phase 2 Address
On Thu, Oct 27, 2005 at 05:43:01AM -0400, Brian A. Seklecki wrote: | This is confirmed to work? I suppose that would resolve part of my | problem with 4314/system | netstat -rn Encap: Source Port DestinationPort Proto SA(Address/Proto/Type/Direction) 10.0.0/23 0 172.16.15/24 0 0 192.168.15.1/50/use/in 10.0.2/23 0 172.16.15/24 0 0 192.168.15.1/50/use/in 172.16.15/24 0 10.0.0/23 0 0 192.168.15.1/50/require/out 172.16.15/24 0 10.0.2/23 0 0 192.168.15.1/50/require/out NB! IP's have been rewritten. -- Runo Fxrrisdahl - TeleComputing IS http://www.telecomputing.no/
Re: isakmpd - Single Phase 1 - Multiple Phase 2 Address
Hi, On Wed, Oct 26, 2005 at 02:40:52PM -0400, Roy Morris wrote: > I have been reading through the archives but have not found a reliable answer > yet. I have recently been converting vpns from manual to isakmpd, with one > of the other endpoints being a Cisco box. I can bring up a single subnet/IP > no problem but if I try to add another phase2 connection it fails. ... ok, maybe I'm missing the point here or am not fully understanding your problem, but something like below works for me. A single phase 1 SA is used to negotiate different phase 2 SAs. Note, both sides are openbsd boxes. ... [IPsec-vpn7-vpn8] Phase= 2 ISAKMP-peer=ISAKMP-peer-theothers Configuration= Default-quick-mode Local-ID= Net-vpn7 Remote-ID= Net-vpn8 [IPsec-vpn9-vpn10] Phase= 2 ISAKMP-peer=ISAKMP-peer-theothers Configuration= Default-quick-mode Local-ID= Net-vpn9 Remote-ID= Net-vpn10 [Net-vpn7] ID-type=IPV4_ADDR_SUBNET Network=192.168.7.0 Netmask=255.255.255.0 [Net-vpn8] ID-type=IPV4_ADDR_SUBNET Network=192.168.8.0 Netmask=255.255.255.0 [Net-vpn9] ID-type=IPV4_ADDR_SUBNET Network=192.168.9.0 Netmask=255.255.255.0 [Net-vpn10] ID-type=IPV4_ADDR_SUBNET Network=192.168.10.0 Netmask=255.255.255.0 ...
Re: isakmpd - Single Phase 1 - Multiple Phase 2 Address
This is confirmed to work? I suppose that would resolve part of my problem with 4314/system ~BAS On Thu, 2005-10-27 at 05:02, Runo Forrisdahl wrote: > On Wed, Oct 26, 2005 at 02:40:52PM -0400, Roy Morris wrote: > | I have been reading through the archives but have not found a reliable > answer > | yet. I have recently been converting vpns from manual to isakmpd, with one > | of the other endpoints being a Cisco box. I can bring up a single subnet/IP > | no problem but if I try to add another phase2 connection it fails. > | > | Does anyone have a config showing this setup? > > This config works for me after posting a similar question just a few days ago. > > [Phase 1] > 192.168.15.1= cisco > > [Phase 2] > Connections=tunnel-opengw-cisco,tunnel-opengw-cisco2 > > [peer-opengw] > ID-type=IPV4_ADDR > Address=192.168.20.13 > > [peer-cisco] > ID-type=IPV4_ADDR > Address=192.168.15.1 > > [net-opengw] > ID-type=IPV4_ADDR_SUBNET > Network=172.16.15.0 > Netmask=255.255.255.0 > > [net-cisco] > ID-type=IPV4_ADDR_SUBNET > Network=10.0.0.0 > Netmask=255.255.254.0 > > [net-cisco2] > ID-type=IPV4_ADDR_SUBNET > Network=10.0.2.0 > Netmask=255.255.254.0 > > [cisco] > Phase= 1 > Transport= udp > Local-address= 192.168.20.13 > Address=192.168.15.1 > Configuration= main-mode > Authentication= Hemmelig > > [opengw-net] > Phase= 1 > Network=172.16.15.0 > Netmask=255.255.255.0 > Configuration= main-mode > > [cisco-net] > Phase= 1 > Network=10.0.0.0 > Netmask=255.255.254.0 > Configuration= main-mode > > [cisco2-net] > Phase= 1 > Network=10.0.2.0 > Netmask=255.255.254.0 > Configuration= main-mode > > [tunnel-opengw-cisco] > Phase= 2 > ISAKMP-peer=cisco > Configuration= quick-mode > Local-ID= net-opengw > Remote-ID= net-cisco > > [tunnel-opengw-cisco2] > Phase= 2 > ISAKMP-peer=cisco > Configuration= quick-mode > Local-ID= net-opengw > Remote-ID= net-cisco2 > > [rsa-main-mode] > DOI=IPSEC > EXCHANGE_TYPE= ID_PROT > Transforms= 3DES-SHA-RSA_SIG > > [main-mode] > DOI=IPSEC > EXCHANGE_TYPE= ID_PROT > Transforms= 3DES-SHA > > [quick-mode] > DOI=IPSEC > EXCHANGE_TYPE= QUICK_MODE > Suites= QM-ESP-3DES-SHA-SUITE
Re: isakmpd - Single Phase 1 - Multiple Phase 2 Address
On Wed, Oct 26, 2005 at 02:40:52PM -0400, Roy Morris wrote: | I have been reading through the archives but have not found a reliable answer | yet. I have recently been converting vpns from manual to isakmpd, with one | of the other endpoints being a Cisco box. I can bring up a single subnet/IP | no problem but if I try to add another phase2 connection it fails. | | Does anyone have a config showing this setup? This config works for me after posting a similar question just a few days ago. [Phase 1] 192.168.15.1= cisco [Phase 2] Connections=tunnel-opengw-cisco,tunnel-opengw-cisco2 [peer-opengw] ID-type=IPV4_ADDR Address=192.168.20.13 [peer-cisco] ID-type=IPV4_ADDR Address=192.168.15.1 [net-opengw] ID-type=IPV4_ADDR_SUBNET Network=172.16.15.0 Netmask=255.255.255.0 [net-cisco] ID-type=IPV4_ADDR_SUBNET Network=10.0.0.0 Netmask=255.255.254.0 [net-cisco2] ID-type=IPV4_ADDR_SUBNET Network=10.0.2.0 Netmask=255.255.254.0 [cisco] Phase= 1 Transport= udp Local-address= 192.168.20.13 Address=192.168.15.1 Configuration= main-mode Authentication= Hemmelig [opengw-net] Phase= 1 Network=172.16.15.0 Netmask=255.255.255.0 Configuration= main-mode [cisco-net] Phase= 1 Network=10.0.0.0 Netmask=255.255.254.0 Configuration= main-mode [cisco2-net] Phase= 1 Network=10.0.2.0 Netmask=255.255.254.0 Configuration= main-mode [tunnel-opengw-cisco] Phase= 2 ISAKMP-peer=cisco Configuration= quick-mode Local-ID= net-opengw Remote-ID= net-cisco [tunnel-opengw-cisco2] Phase= 2 ISAKMP-peer=cisco Configuration= quick-mode Local-ID= net-opengw Remote-ID= net-cisco2 [rsa-main-mode] DOI=IPSEC EXCHANGE_TYPE= ID_PROT Transforms= 3DES-SHA-RSA_SIG [main-mode] DOI=IPSEC EXCHANGE_TYPE= ID_PROT Transforms= 3DES-SHA [quick-mode] DOI=IPSEC EXCHANGE_TYPE= QUICK_MODE Suites= QM-ESP-3DES-SHA-SUITE -- Runo Fxrrisdahl - TeleComputing IS http://www.telecomputing.no/
Re: isakmpd - Single Phase 1 - Multiple Phase 2 Address [RESOLVED]
Requires fingers to be functional :) > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of > Roy Morris > Sent: Wednesday, October 26, 2005 2:41 PM > To: misc@openbsd.org > Subject: isakmpd - Single Phase 1 - Multiple Phase 2 Address > > > I have been reading through the archives but have not found a > reliable answer > yet. I have recently been converting vpns from manual to > isakmpd, with one > of the other endpoints being a Cisco box. I can bring up a > single subnet/IP > no problem but if I try to add another phase2 connection it fails. > > Does anyone have a config showing this setup? I read > something from 2003 > that said this *might* be a problem, but can't believe that > would still be true. > > http://marc.theaimsgroup.com/?l=openbsd-misc&m=104621687611340&w=2 > > Cheers > Rm
isakmpd - Single Phase 1 - Multiple Phase 2 Address
I have been reading through the archives but have not found a reliable answer yet. I have recently been converting vpns from manual to isakmpd, with one of the other endpoints being a Cisco box. I can bring up a single subnet/IP no problem but if I try to add another phase2 connection it fails. Does anyone have a config showing this setup? I read something from 2003 that said this *might* be a problem, but can't believe that would still be true. http://marc.theaimsgroup.com/?l=openbsd-misc&m=104621687611340&w=2 Cheers Rm
