Re: [m0n0wall] IPSEC tunnel with several SAs

From:	"Christopher M. Iarocci" <iarocci at eastendsc dot com>
To:	Ola Bergqvist <ola dot bergqvist at altair dot se>
Cc:	Fred Weston <Fred at daytonawan dot com>, Manuel Kasper <mk at neon1 dot net>, m0n0wall at lists dot m0n0 dot ch
Subject:	Re: [m0n0wall] IPSEC tunnel with several SAs
Date:	Tue, 20 Jan 2004 10:28:57 -0500

Ola Bergqvist wrote:

>Hi,
>
>When I exchanged our old firewall with a standard FreeBSD box I go that
>problem.
>After alot of testing it turned out that I had to change
>"required" to "unique" in the setkey commands. I am not really sure what
>this
>does though.
>
>from man IPSEC_SET_POLICY(3):
>...
>require means that a relevant
>SA is required, since the kernel must perform IPsec
>operation against packets.  unique is the same as
>require, but adds the restriction that the SA for out-
>bound traffic is used only for this policy.
>...
>
>BTW, I think the other end of the tunnel is a linux free/swan system.
>
>As a first try in modifying m0n0wall I'm trying to hardcode this into
>m0n0wall.
>It would be great if there was a switch in the ui to change this...
>(It would be nice to use m0n0wall here without modifying it)
>
>Ola
>
>  
>
Ola,

Thank you for the solution to the problem.  Now to get Manuel to 
implement it.  :-)  I'm forwarding this on to him also in the hopes he 
can find it in his heart to include this in the next release.  :-)

Chris