[ previous ] [ next ] [ threads ]
 
 From:  "Ola Bergqvist" <ola dot bergqvist at altair dot se>
 To:  "Manuel Kasper" <mk at neon1 dot net>, "Christopher M. Iarocci" <iarocci at eastendsc dot com>
 Cc:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] IPSEC tunnel with several SAs
 Date:  Tue, 20 Jan 2004 17:02:23 +0100
> Christopher M. Iarocci wrote:
>
> > Thank you for the solution to the problem.  Now to get Manuel to
> > implement it.  :-)  I'm forwarding this on to him also in the hopes he
> > can find it in his heart to include this in the next release.  :-)
>
> Sure, no problem, but can you confirm this: all that is really required
> is changing "required" to "unique" in the spdadd command? No side
> effects, no nothing (I'm too lazy to check at the moment - too much
> going on ;)? It sure doesn't sound like it should cause problems,
> though... The way it is now you have one SA per policy only anyway.
>
> - Manuel

All I can say is that it works on our firewall without any apparent side
effects.
The firewall is FreeBSD 4.8-something and it is using racoon for IKE.
It has six tunnels to our HQs in US that uses the same remote gateway
(those tunnels were the problem before I tested "unique") and one to a
m0n0wall.

As far as I can tell from the documentation "unique" should be ok, but you
might want to ask someone who actually knows. :) (As far as I can tell it
might
even be possible to always use "unique" instead of "required". But all
examples
I have ever seen uses "required"...)

I'll let you know what happens with my modified m0n0wall. (I'm not even
sure it boots yet.)

Best Regards,
Ola