hi,
i have a situation where a branch office with multiple,
non-overlapping, non-aggregatable local networks need to connect to
the head office, via an ipsec tunnel. "of course", the security
gateway is also acting as a gateway to the internet (nat and the usual
collateral stuff), and, as a matter of fact, some of the "local"
networks are connected to it via openvpn (that is, it itself is a vpn
concentrator of sorts, for openvpn tunnels).
rough sketch:
-- branch office -- | | -- head office --
| |
172.16.187.0/24 - | |
172.19.47.0/24 \ +-----------+ | | +-----------+
+- |security gw| - (ipsec tun) - |security gw| - ...
192.168.114.0/24 / +--------+--+ | | +-----------+
192.168.2.0/24 - |
\
---- (internet etc..)
it may also be the case that at the head office end, there will be
more than one hosts/networks to be accessed, this is not clarified
yet. i am not in control of the head office's concentrator, but i know
that they are using a cisco 3060.
how is this realized within isakmpd's configuration? i already have
tried putting more than one ipv4_addr_subnets into the ipsec-id
section, and even more than one ipsec-id section, but isakmpd throw
them out (not surprise).
if this cannot be realized within isakmpd, what other options do i
have? pf route-tos/reply-tos are about the only thing i can think
of... anything else?
tia,
--
[-]
mkdir /nonexistent
