Hi,
On Fri, Nov 24, 2006 at 09:45:45AM +0000, Brian Candler wrote:
> I'm trying to set up multiple transport mode SAs between an OpenBSD 4.0 box
> and a Cisco 7301 running IOS [ultimate reason is to load test multiple L2TP
> over IPSEC tunnels].
>
> Each SA is between the same two IP endpoints but specifies a different UDP
> port pair.
>
> I was able to get a single SA up using ipsecctl, after making this small fix:
>
> --- sbin/ipsecctl/ike.c.orig Thu Nov 23 22:48:23 2006
> +++ sbin/ipsecctl/ike.c Thu Nov 23 22:48:37 2006
> @@ -526,7 +526,7 @@
> fprintf(fd, SET "[lid-%s]:Port=%d force\n", src->name,
> ntohs(sport));
> if (dport)
> - fprintf(fd, SET "[rid-%s]:Port=%d force\n", src->name,
> + fprintf(fd, SET "[rid-%s]:Port=%d force\n", dst->name,
> ntohs(dport));
> }
this has been already commited, thanks!
Could you please try the diff below? It's just a quick hack but
might solve that problem.
HJ.
Index: ike.c
===================================================================
RCS file: /cvs/src/sbin/ipsecctl/ike.c,v
retrieving revision 1.54
diff -u -p -r1.54 ike.c
--- ike.c 24 Nov 2006 08:07:18 -0000 1.54
+++ ike.c 24 Nov 2006 10:28:33 -0000
@@ -38,12 +38,13 @@ static void ike_section_peer(struct ipse
static void ike_section_ids(struct ipsec_addr_wrap *, struct ipsec_auth *,
FILE *, u_int8_t);
static int ike_get_id_type(char *);
-static void ike_section_ipsec(struct ipsec_addr_wrap *, struct
- ipsec_addr_wrap *, struct ipsec_addr_wrap *, FILE *);
+static void ike_section_ipsec(struct ipsec_addr_wrap *, u_int16_t, struct
+ ipsec_addr_wrap *, u_int16_t, struct ipsec_addr_wrap *,
+ char *, FILE *);
static int ike_section_p1(struct ipsec_addr_wrap *, struct
ipsec_transforms *, FILE *, struct ike_auth *, u_int8_t);
-static int ike_section_p2(struct ipsec_addr_wrap *, struct
- ipsec_addr_wrap *, u_int8_t, u_int8_t, struct
+static int ike_section_p2(struct ipsec_addr_wrap *, u_int16_t, struct
+ ipsec_addr_wrap *, u_int16_t, u_int8_t, u_int8_t, struct
ipsec_transforms *, FILE *, u_int8_t);
static void ike_section_p2ids(u_int8_t, struct ipsec_addr_wrap *,
u_int16_t, struct ipsec_addr_wrap *, u_int16_t, FILE *);
@@ -174,33 +175,45 @@ ike_get_id_type(char *string)
}
static void
-ike_section_ipsec(struct ipsec_addr_wrap *src, struct ipsec_addr_wrap *dst,
- struct ipsec_addr_wrap *peer, FILE *fd)
+ike_section_ipsec(struct ipsec_addr_wrap *src, u_int16_t sport,
+ struct ipsec_addr_wrap *dst, u_int16_t dport, struct ipsec_addr_wrap *peer,
+ char *tag, FILE *fd)
{
- fprintf(fd, SET "[IPsec-%s-%s]:Phase=2 force\n", src->name, dst->name);
+ char *p;
+
+ if (asprintf(&p, "%s:%d-%s:%d", src->name, ntohs(sport), dst->name,
+ ntohs(dport)) == -1)
+ err(1, "ike_section_ipsec");
+
+ fprintf(fd, SET "[IPsec-%s]:Phase=2 force\n", p);
if (peer)
- fprintf(fd, SET "[IPsec-%s-%s]:ISAKMP-peer=peer-%s force\n",
- src->name, dst->name, peer->name);
+ fprintf(fd, SET "[IPsec-%s]:ISAKMP-peer=peer-%s force\n", p,
+ peer->name);
else
fprintf(fd, SET
- "[IPsec-%s-%s]:ISAKMP-peer=peer-default force\n",
- src->name, dst->name);
+ "[IPsec-%s]:ISAKMP-peer=peer-default force\n", p);
+
+ fprintf(fd, SET "[IPsec-%s]:Configuration=qm-%s force\n", p, p);
+ fprintf(fd, SET "[IPsec-%s]:Local-ID=lid-%s force\n", p, src->name);
+ fprintf(fd, SET "[IPsec-%s]:Remote-ID=rid-%s force\n", p, dst->name);
- fprintf(fd, SET "[IPsec-%s-%s]:Configuration=qm-%s-%s force\n",
- src->name, dst->name, src->name, dst->name);
- fprintf(fd, SET "[IPsec-%s-%s]:Local-ID=lid-%s force\n", src->name,
- dst->name, src->name);
- fprintf(fd, SET "[IPsec-%s-%s]:Remote-ID=rid-%s force\n", src->name,
- dst->name, dst->name);
+ if (tag)
+ fprintf(fd, SET "[IPsec-%s]:PF-Tag=%s force\n", p, tag);
+
+ free(p);
}
static int
-ike_section_p2(struct ipsec_addr_wrap *src, struct ipsec_addr_wrap *dst,
- u_int8_t satype, u_int8_t tmode, struct ipsec_transforms *qmxfs, FILE *fd,
- u_int8_t ike_exch)
+ike_section_p2(struct ipsec_addr_wrap *src, u_int16_t sport,
+ struct ipsec_addr_wrap *dst, u_int16_t dport, u_int8_t satype,
+ u_int8_t tmode, struct ipsec_transforms *qmxfs, FILE *fd, u_int8_t
ike_exch)
{
- char *tag, *exchange_type, *sprefix;
+ char *p, *tag, *exchange_type, *sprefix;
+
+ if (asprintf(&p, "%s:%d-%s:%d", src->name, ntohs(sport), dst->name,
+ ntohs(dport)) == -1)
+ err(1, "ike_section_p2");
switch (ike_exch) {
case IKE_QM:
@@ -213,10 +226,9 @@ ike_section_p2(struct ipsec_addr_wrap *s
return (-1);
}
- fprintf(fd, SET "[%s-%s-%s]:EXCHANGE_TYPE=%s force\n",
- tag, src->name, dst->name, exchange_type);
- fprintf(fd, SET "[%s-%s-%s]:Suites=%s-", tag, src->name,
- dst->name, sprefix);
+ fprintf(fd, SET "[%s-%s]:EXCHANGE_TYPE=%s force\n", tag, p,
+ exchange_type);
+ fprintf(fd, SET "[%s-%s]:Suites=%s-", tag, p, sprefix);
switch (satype) {
case IPSEC_ESP:
@@ -339,6 +354,8 @@ ike_section_p2(struct ipsec_addr_wrap *s
fprintf(fd, "-PFS");
fprintf(fd, "-SUITE force\n");
+ free(p);
+
return (0);
}
@@ -595,9 +612,10 @@ ike_gen_config(struct ipsec_rule *r, FIL
fd, r->ikeauth, r->p1ie) == -1)
return (-1);
ike_section_ids(r->peer, r->auth, fd, r->ikemode);
- ike_section_ipsec(r->src, r->dst, r->peer, fd);
- if (ike_section_p2(r->src, r->dst, r->satype, r->tmode, r->p2xfs,
- fd, r->p2ie) == -1)
+ ike_section_ipsec(r->src, r->sport, r->dst, r->dport, r->peer, r->tag,
+ fd);
+ if (ike_section_p2(r->src, r->sport, r->dst, r->dport, r->satype,
+ r->tmode, r->p2xfs, fd, r->p2ie) == -1)
return (-1);
ike_section_p2ids(r->proto, r->src, r->sport, r->dst, r->dport, fd);
