[ previous ] [ next ] [ threads ]
 
 From:  "Ola Bergqvist" <ola dot bergqvist at altair dot se>
 To:  "Christopher M. Iarocci" <iarocci at eastendsc dot com>, "Fred Weston" <Fred at daytonawan dot com>
 Cc:  "Peter Kulinski" <peter at datafant dot se>, <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] IPSEC tunnel with several SAs
 Date:  Tue, 20 Jan 2004 14:33:27 +0100 
Hi,

When I exchanged our old firewall with a standard FreeBSD box I go that
problem.
After alot of testing it turned out that I had to change
"required" to "unique" in the setkey commands. I am not really sure what
this
does though.

from man IPSEC_SET_POLICY(3):
...
require means that a relevant
SA is required, since the kernel must perform IPsec
operation against packets.  unique is the same as
require, but adds the restriction that the SA for out-
bound traffic is used only for this policy.
...

BTW, I think the other end of the tunnel is a linux free/swan system.

As a first try in modifying m0n0wall I'm trying to hardcode this into
m0n0wall.
It would be great if there was a switch in the ui to change this...
(It would be nice to use m0n0wall here without modifying it)

Ola



> -----Original Message-----
> From: Christopher M. Iarocci [mailto:iarocci at eastendsc dot com]
> Sent: den 20 januari 2004 14:14
> To: Fred Weston
> Cc: Peter Kulinski; 'm0n0wall at lists dot m0n0 dot ch'
> Subject: Re: [m0n0wall] IPSEC tunnel with several SAs
>
>
> Fred Weston wrote:
>
> > Peter Kulinski wrote:
> >
> >> Is it possible to define more than one SA rule for an IPSEC tunnel with
> >> M0n0wall?
> >>
> >>
> >>
> >> LANHOME                            LANOFFICE (2)
> >>
> >> 192.168.1.0/24    <-->             192.168.10.0/24 and 192.168.11.0/24
> >>
> >>
> >>
> >> I cant find any information doing this. I know that its NOT possible
> >> solving
> >> this be doing 2 tunnels.
> >>
> >> Any idea?
> >>
> >>
> >>
> >> Regards
> >>
> >>
> >>
> >> \Peter
> >>
> >>
> >>
> >>
> > How about using 192.168.10.0/23 instead of 192.168.10.0/24 and
> > 192.168.11.0/24?
> >
> >
> I've been asking this question for about 4 months now, with no answers
> from anyone.  :-(
>
> If using the different bit mask works for this situation, it certainly
> won't work for all situations.  What if I have a 192.168.X.X network and
> a 10.X.X.X network on one side?  I certainly couldn't allow that with a
> bitmask change.  Their must be a way, or racoon is severly limited in
> this manner.  I've used many other routers that could establish 2
> tunnels to 1 location, but it seems racoon can not??  I'm still looking
> for confirmation on that though.
>
> Chris
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>