Re: [m0n0wall] IPSEC & Multiple subnets (again)

From:	Fred Wright <fw at well dot com>
To:	m0n0wall at lists dot m0n0 dot ch
Subject:	Re: [m0n0wall] IPSEC & Multiple subnets (again)
Date:	Tue, 12 Apr 2005 00:37:37 -0700 (PDT)

On Tue, 5 Apr 2005, Chris Buechler wrote:

> On Apr 5, 2005 3:18 PM, Jeroen Geusebroek <j dot geusebroek at gmail dot com> wrote:
> > Again i would like to raise the question about routing multiple subnets over
> > a single IPSEC tunnel.
> 
> http://m0n0.ch/wall/docbook/faq-ipsec-multiple-subnets.html
> 
> CIDR summarizing them is equivalent to Cisco adding to match address. 
> If that isn't possible, it should be possible to add another IPsec
> tunnel between the two endpoints.  The above is tested and verified
> from m0n0wall to m0n0wall.

Which above?  There are two cases.

If parallel tunnels have been tested, was that with main mode or
aggressive mode?  In the former case, they'd have to use the same
identifier, which shouldn't be a problem in theory but some
implementations might not like it.  I've even run across an implementation
(not m0n0wall) that didn't seem to like parallel tunnels at all, but it
was so flaky in general that it was hard to be sure of anything.

A trickier case is where policies overlap.  I believe they're supposed to
be resolved on a first-match basis, but without a way to control the SP
order it's difficult to make use of that.

					Fred Wright