(My apologies for the re-post.  I originally posted this message to ipsec-tools-users before I was aware of what a spam pit that place has become.)

Hello all,

I currently have the following network setup:

Network A-->VPN gateway X<---Internet--->VPN gateway Y<--Networks B and C

VPN gateway X is a linux machine running racoon 0.7.3 and has interior IP of aaa.aaa.aaa.aaa and exterior IP of xxx.xxx.xxx.xxx.  VPN gateway Y is a Cisco ASA and has exterior IP of yyy.yyy.yyy.yyy and interior IP of bbb.bbb.bbb.bbb.  If I have a machine on network A that tries to contact a machine on Network B, then everything works fine.  At this point, there is an SA between Network A and Network B.  If that machine then tries to contact a machine on Network C, gateway X makes no attempt to set up another SA, and doesn't pass packets between A and C.  Here's the interesting part: if a machine on network C now tries to contact a machine on network A, an SA gets set up, and then packets will get passed from A to C as well.

Here is the racoon config that I am using on gateway X:



# Racoon IKE daemon configuration file.
# See 'man racoon.conf' for a description of the format and entries.

path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";

log debug2;

sainfo subnet <Network A subnet> any subnet <Network B subnet> any
{
        pfs_group 2;
        lifetime time 1 hour ;
        encryption_algorithm aes 256, aes 128, 3des ;
        authentication_algorithm hmac_sha1, hmac_md5 ;
        compression_algorithm deflate ;
        remoteid 1 ;
}

sainfo subnet
<Network A subnet> any subnet <Network C subnet> any
{
        pfs_group 2;
        lifetime time 1 hour ;
        encryption_algorithm aes 256, aes 128, 3des ;
        authentication_algorithm hmac_sha1, hmac_md5 ;
        compression_algorithm deflate ;
        remoteid 1 ;
}

remote yyy.yyy.yyy.yyy
{
        exchange_mode main;
        my_identifier address;
        peers_identifier address;
        ph1id 1 ;
        proposal_check claim;
        proposal {
                encryption_algorithm aes 256;
                hash_algorithm sha1;
                authentication_method pre_shared_key;
                dh_group 5;
        }
}

I have tried several configs, and they all yield the same result.  I have even tried creating two remote sections for the same IP address but different, ph1id values.  Does anyone have an idea as to what is happening?  In general, how do you set up two networks through the same VPN gateway?

Thank you very much in advance.

Sincerely,

John Guthrie
jguthrie@limewire.com