Re: isakmpd - Two subnets behind 1 server

Tue, 16 May 2006 11:38:51 -0700 

On May 16, 2006, at 1:31 PM, Chris Cameron wrote:


I have 3 subnets, 192.168.120.x, 121.x and 122.x. 120 and 121 are
physically connected, 122 connects through a VPN.

In my VPN config, in Phase 2 I have:

Local-ID=               120network
Remote-ID=              122network
As expected, the 120 and 122 networks talk fine, traffic coming from or 
going to 121 doesn't get routed to 122. From what I can tell it's
because there's no entry for it to do such under route's 'Encap'.
Question is, is there anyway in isakmpd.conf to define 2 subnets for the 
Remote-ID? Can this route be added manually somehow?
You can define multiple Phase-1 and Phase-2 SAs. Here is a working example with two local networks (CORP and DMZ) and two remote offices (SITE1 and SITE2). 

[General]
Listen-On=              200.0.0.200

[Phase 1]
210.0.0.210=            ISAKMP-peer-SITE1
220.0.0.220=            ISAKMP-peer-SITE2

[Phase 2]
Connections= IPsec-CORP-SITE1,IPsec-DMZ-SITE1,IPsec-CORP- SITE2,IPsec-DMZ-SITE2 

[ISAKMP-peer-SITE1]
Phase=                  1
Address=                210.0.0.210
Configuration=          Default-main-mode
Authentication=         22fc90d5d9d1daece424aafaec7698c8

[ISAKMP-peer-SITE2]
Phase=                  1
Address=                220.0.0.220
Configuration=          Default-main-mode
Authentication=         22fc90d5d9d1daece424aafaec7698c8

[IPsec-CORP-SITE1]
Phase=                  2
ISAKMP-peer=            ISAKMP-peer-SITE1
Configuration=          Default-quick-mode
Local-ID=               Net-CORP
Remote-ID=              Net-SITE1

[IPsec-DMZ-SITE1]
Phase=                  2
ISAKMP-peer=            ISAKMP-peer-SITE1
Configuration=          Default-quick-mode
Local-ID=               Net-DMZ
Remote-ID=              Net-SITE1

[IPsec-CORP-SITE2]
Phase=                  2
ISAKMP-peer=            ISAKMP-peer-SITE2
Configuration=          Default-quick-mode
Local-ID=               Net-CORP
Remote-ID=              Net-SITE2

[IPsec-DMZ-SITE2]
Phase=                  2
ISAKMP-peer=            ISAKMP-peer-SITE2
Configuration=          Default-quick-mode
Local-ID=               Net-DMZ
Remote-ID=              Net-SITE2

[Net-CORP]
ID-type=                IPV4_ADDR_SUBNET
Network=                10.0.0.0
Netmask=                255.255.255.0

[Net-DMZ]
ID-type=                IPV4_ADDR_SUBNET
Network=                10.1.0.0
Netmask=                255.255.255.0

[Net-SITE1]
ID-type=                IPV4_ADDR_SUBNET
Network=                10.2.0.0
Netmask=                255.255.255.0

[Net-SITE2]
ID-type=                IPV4_ADDR_SUBNET
Network=                10.3.0.0
Netmask=                255.255.255.0

[Default-main-mode]
DOI=                    IPSEC
EXCHANGE_TYPE=          ID_PROT
Transforms=             AES-SHA,3DES-SHA

[Default-quick-mode]
DOI=                    IPSEC
EXCHANGE_TYPE=          QUICK_MODE
Suites=                 QM-ESP-AES-SHA-PFS-SUITE


--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net

Reply via email to