[ previous ] [ next ] [ threads ]
 From:  "Ola Bergqvist" <ola dot bergqvist at altair dot se>
 To:  "Manuel Kasper" <mk at neon1 dot net>, "Christopher M. Iarocci" <iarocci at eastendsc dot com>
 Cc:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] IPSEC tunnel with several SAs
 Date:  Tue, 20 Jan 2004 18:18:25 +0100
The "unique" modified m0n0wall has worked without any troubles so far, with
at least most of the six tunnels to the same gateway working (I haven't had
time to find hosts on the other nets to test in the rest). The tunnel to the
other unmodified m0n0wall also works.

Someone might find it usefull to know how I modified the iso-image without
an FreeBSD installation:
I used FreeSBIE (http://www.freesbie.org), a liveCD FreeBSD, to mount the
image and the mfsroot from the image. There are some information in the
archive about how to do that. (FreeSBIE is FreeBSD 5.1-? so it uses mdconfig
instead of vnconfig.)
Then I used ultraISO to put my modified mfsroot.gz back in the iso.

Best Regards,

> -----Original Message-----
> From: Ola Bergqvist [mailto:ola dot bergqvist at altair dot se]
> Sent: den 20 januari 2004 17:02
> To: Manuel Kasper; Christopher M. Iarocci
> Cc: m0n0wall at lists dot m0n0 dot ch
> Subject: RE: [m0n0wall] IPSEC tunnel with several SAs
> > Christopher M. Iarocci wrote:
> >
> > > Thank you for the solution to the problem.  Now to get Manuel to
> > > implement it.  :-)  I'm forwarding this on to him also in the hopes he
> > > can find it in his heart to include this in the next release.  :-)
> >
> > Sure, no problem, but can you confirm this: all that is really required
> > is changing "required" to "unique" in the spdadd command? No side
> > effects, no nothing (I'm too lazy to check at the moment - too much
> > going on ;)? It sure doesn't sound like it should cause problems,
> > though... The way it is now you have one SA per policy only anyway.
> >
> > - Manuel
> All I can say is that it works on our firewall without any apparent side
> effects.
> The firewall is FreeBSD 4.8-something and it is using racoon for IKE.
> It has six tunnels to our HQs in US that uses the same remote gateway
> (those tunnels were the problem before I tested "unique") and one to a
> m0n0wall.
> As far as I can tell from the documentation "unique" should be ok, but you
> might want to ask someone who actually knows. :) (As far as I can tell it
> might
> even be possible to always use "unique" instead of "required". But all
> examples
> I have ever seen uses "required"...)
> I'll let you know what happens with my modified m0n0wall. (I'm not even
> sure it boots yet.)
> Best Regards,
> Ola
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch