Re: Problem with Racoon/IPSec/Setkey - Routing to/from multiple n etwo rks

From: Helge Oldach (helge.oldach_at_atosorigin.com)
Date: 11/18/03

  • Next message: Mike Silbersack: "wi0 wireless compatibility issue?" 
    To: jamie@tridentmicrosystems.co.uk
Date: Tue, 18 Nov 2003 16:27:54 +0100 (MET)

    Jamie Heckford:
    >Helge Oldach wrote:
    >> Jamie Heckford:
    >>> /usr/sbin/setkey -c << EOF
    >>> flush;
    >>> spdflush;
    >>> spdadd ${LOCAL_NETWORK} ${STJUST_NETWORK} any -P out ipsec
    >>> esp/tunnel/${LOCAL_OUTSIDE}-${STJUST_OUTSIDE}/require;
    >>> spdadd ${STJUST_NETWORK} ${LOCAL_NETWORK} any -P in ipsec
    >>> esp/tunnel/${STJUST_OUTSIDE}-${LOCAL_OUTSIDE}/require;
    >>> spdadd ${ALLNET_1} ${STJUST_NETWORK} any -P out ipsec
    >>> esp/tunnel/${LOCAL_OUTSIDE}-${STJUST_OUTSIDE}/require;
    >>> spdadd ${STJUST_NETWORK} ${ALLNET_1} any -P in ipsec
    >>> esp/tunnel/${STJUST_OUTSIDE}-${LOCAL_OUTSIDE}/require;
    >>> spdadd ${LOCAL_NETWORK} ${BENELUX_NETWORK} any -P out ipsec
    >>> esp/tunnel/${LOCAL_OUTSIDE}-${BENELUX_OUTSIDE}/require;
    >>> spdadd ${BENELUX_NETWORK} ${LOCAL_NETWORK} any -P in ipsec
    >>> esp/tunnel/${BENELUX_OUTSIDE}-${LOCAL_OUTSIDE}/require;
    >>> spdadd ${ALLNET_1} ${BENELUX_NETWORK} any -P out ipsec
    >>> esp/tunnel/${LOCAL_OUTSIDE}-${BENELUX_OUTSIDE}/require;
    >>> spdadd ${BENELUX_NETWORK} ${ALLNET_1} any -P in ipsec
    >>> esp/tunnel/${BENELUX_OUTSIDE}-${LOCAL_OUTSIDE}/require;
    >>> EOF
    >>
    >> Try using "unique" instead of "require".
    >>
    >> Helge
    >
    >Thanks a lot Helge, this worked fine :)
    >
    >What does unique do instead of require..?

    Frankly, I never understood this in detail. "unique" appears to tie
    together the SA and the policy and appears to ensure that the correct SA
    is being used for a policy. But then I don't see what "require" would be
    useful for at all, as the "unique" behaviour is what one usually wants
    to achieve when using IKE (racoon).

    Actually this question pops up every now and then, with always the same
    answer. :-) For example, if you're talking against a Cisco VPN gateway,
    you *must* use unique, otherwise it won't work at all.

    Maybe somebody else can shed some light into the matter?

    Helge
    _______________________________________________
    freebsd-net@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-net
    To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"

  • Next message: Mike Silbersack: "wi0 wireless compatibility issue?"