On 5 dec 2005, at 02.57, Brian A. Seklecki wrote:
I opened a PR on this earlier this year. Seach my last name in
query-pr.
The Cisco 3000 supports SA Proposals with multiple discontiguous
subnets.
The IKE protocol does not. In fact subnets are not part of SA
proposals. (They're phase2 IDs.)
One IPsec tunnel cannot manage more than one set of network to
network traffic. If you have two subnets at each site, you'll need
to configure four tunnels, etc.
For the problem at hand, one specifies multiple entries in [Phase
2]:Connections, plus their config sections. There, multiple
discontigous subnets. :)
(Granted, isakmpd configuration could (like Cisco) support an easier
way of configuring multiple networks. This may happen someday.)
You could also take a look at ipsecctl(8).
/H
On Tue, 2005-06-07 at 20:54, Tamas TEVESZ wrote:
hi,
i have a situation where a branch office with multiple,
non-overlapping, non-aggregatable local networks need to connect to
the head office, via an ipsec tunnel. "of course", the security
gateway is also acting as a gateway to the internet (nat and the
usual
collateral stuff), and, as a matter of fact, some of the "local"
networks are connected to it via openvpn (that is, it itself is a vpn
concentrator of sorts, for openvpn tunnels).
rough sketch:
-- branch office -- | | -- head office --
| |
172.16.187.0/24 - | |
172.19.47.0/24 \ +-----------+ | | +-----------+
+- |security gw| - (ipsec tun) - |security gw|
- ...
192.168.114.0/24 / +--------+--+ | | +-----------+
192.168.2.0/24 - |
\
---- (internet etc..)
it may also be the case that at the head office end, there will be
more than one hosts/networks to be accessed, this is not clarified
yet. i am not in control of the head office's concentrator, but i
know
that they are using a cisco 3060.
how is this realized within isakmpd's configuration? i already have
tried putting more than one ipv4_addr_subnets into the ipsec-id
section, and even more than one ipsec-id section, but isakmpd throw
them out (not surprise).
if this cannot be realized within isakmpd, what other options do i
have? pf route-tos/reply-tos are about the only thing i can think
of... anything else?
tia,
/H
