[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: isakmpd and multiple subnets to same peer
On Tue, 25 Feb 2003, Andre Ruppert wrote:
...
> I run an isakmpd-vpn between more than 10 peers, but I haven´t any
> idea for the following problem
>
> subnet A ---- vpn-gate A -------- vpn-gate B ---- subnet B
> |
> <some routers>
> |
> subnet C -------
>
> A to B and vice versa works,
>
> C to A and vice versa without VPN works (static routes, gate A is
> default gateway for C, but different subnets)
Does that imply C to A and back with the VPN enabled does not? If so it
suggests a configuration error in isakmpd.conf and/or pf.conf.
> C to B and vice versa doesn´t work.
> Phase 1 overlaps concerning the peer definitions (on gate A and B)
> Only Phase 2 contains the configuration for subnet C.
>
> Could there exist a problem because subnet C is not directly connected
> to gate A (there´s a no-nat transfer net between them) ?.
No, this should work without a problem. IPsec "routing" is basically
IP-routing plus the "tunnel" shortcuts. There is very little magic here.
The <some routers> part do not matter, just as in normal IP-routing.
>
> Anyone who already set up a similar configuration?
Yes.
First, you need to define two "Connections", i.e
[Phase 2]
Connections= net-A-B,net-C-B
These phase 2 definitions should look something like:
[net-A-B]
...
Peer= vpn-gateB
Local-ID= subnet-A
Remote-ID= subnet-B
[net-C-B]
...
Peer= vpn-gateB
Local-ID= subnet-C
Remote-ID= subnet-B
The other side, vpn-gateB, should be likewise configured. Two
"Connections", that both go to vpn-gateA, Local-ID= subnet-B and with
Remote-ID to subnet-A/subnet-C respectively.
/H
--
Håkan Olsson <ho@crt.se> (+46) 708 437 337 Carlstedt Research
Unix, Networking, Security (+46) 31 701 4264 & Technology AB