[ previous ] [ next ] [ threads ]
 
 From:  Fred Wright <fw at well dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Multiple IPSEC tunnels between two endpoints
 Date:  Sat, 28 Feb 2009 20:04:20 -0800 (PST)
On Sat, 28 Feb 2009, Andrew Cotter wrote:

> > -----Original Message-----
> > From: Chris Buechler [mailto:cbuechler at gmail dot com] 
> > Sent: Friday, February 27, 2009 5:56 PM
> > To: m0n0wall at lists dot m0n0 dot ch
> > Subject: Re: [m0n0wall] Multiple IPSEC tunnels between two endpoints
> > 
> > On Fri, Feb 27, 2009 at 1:52 PM, Andrew Cotter 
> > <andrew dot cotter at somersetcapital dot com> wrote:
> > >> -----Original Message-----
> > >> From: Lee Sharp [mailto:leesharp at hal dash pc dot org]
> > >> Sent: Friday, February 27, 2009 1:07 PM
> > >> To: m0n0wall at lists dot m0n0 dot ch
> > >> Subject: Re: [m0n0wall] Multiple IPSEC tunnels between two 
> > endpoints
> > >>
> > >> You only need one tunnel, and appropriate routes and rules.
> > >> The tunnel is between the core router and the core router.
> > >
> > > So... Setup the one tunnel.
> > >

> > >
> > > Once that is up and running, add a static route to say
> > >
> > 
> > No, you were right initially. Static routes don't push 
> > traffic over IPsec, the traffic has to match something in 
> > your SPD. Since your subnets aren't CIDR-summarizable, you 
> > have to use parallel tunnels, as you're doing.
> > 
> > Aside from the difference in local and remote networks, I 
> > believe you may also have to use a different PSK for each. I 
> > don't recall for sure, that's what I've done in the past and it works.
> > 
> 
> I went back to the parrallel IPSEC tunnel concept, but I can not get both
> tunnels to be up a the same time.  Like I said in the original email, as
> soon as I have both up the tunnels die.   The "Pre-Shared Key" is different
> for the two tunnels.  
> 
> Most descriptive error I see in the log is
> 
> Feb 28 02:20:18 	racoon: ERROR: HASH mismatched
> Feb 28 02:20:18 	racoon: NOTIFY: couldn't find the proper pskey, try
> to get one by the peer's address.
> 
> I have been over and over the settings and see nothing wrong especially
> since either of them works fine if the other tunnel is down.

Make sure you use Aggressive Mode, since in Main Mode the tunnel can only
be identified by the IP address.

					Fred Wright