[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: ipsec with multiple connections
- To: Matthias Teege <matthias-obsdmisc@mteege.de>
- Subject: Re: ipsec with multiple connections
- From: Hakan Olsson <ho@rfc.se>
- Date: Sat, 1 Nov 2003 12:24:11 +0100 (CET)
- Cc: misc@openbsd.org
- References: <863ce2vkzo.fsf@gic.mteege.de> <86pth6tieq.fsf@gic.mteege.de>
On Thu, 9 Oct 2003, Matthias Teege wrote:
> Matthias Teege <matthias-obsdmisc@mteege.de> writes:
>
> > But I can only get one connection work. Only the first named
> > connection comes up. I can switch
> > «Connections=IPsec-east-west,IPsec-east-pub» to
> > «Connections=IPsec-east-pub,IPsec-east-west» and then the other one
> > worked.
>
> I'm wrong. It was not the first named connection but the connection
> with the first traffic on there. Is there a problem with isakmpd
> and multiple subnets?
No, that should work just fine. Do you see any warnings from the isakmpd
process?
Does 'netstat -rn -f encap' give you two or four entries (flows) ?
If you 'mkdir /kern; mount -t kernfs /kern /kern', how many SAs do you see
with 'cat /kern/ipsec' ? (Both this and the above should be "four").
If not, start isakmpd with either debugging, as in 'isakmpd -d -DA=90',
and/or with cleartext IKE packet capture, 'isakmpd -L'. The latter will
produce output in the file /var/run/isakmpd.pcap, which can be read by
'tcpdump -nvs1500 -r /var/run/isakmpd.pcap'. This output will probably
hint on what goes wrong.
/H