[Ipsec-tools-users] Peers with /0.0.0.0 vs /255.255.255.255
Brought to you by:
mit_warlord,
netbsd
From: Peter E. <pe...@bo...> - 2007-04-09 16:10:33
|
I have, now, two totally disparate peers that define their association with 0.0.0.0 instead of /32. In both cases they're not handy in conversations about networking in that they will reply that because it's a host there should be no subnet. I have limped with one peer doing this for some time by having the anonymous catch it, but the new peer requires different parameters and won't allow me to option a more general catch-all offering of options. Have others seen/experienced this? I can, oddly, initiate to the peer with the /32 and they work fine until their side initiates a rekeying. At that point I have a window where the VPN is established but dead because I'm still carrying SAs that they're no longer using. If I shorten my lifetime in the anonymous in order to catch the second peer's rekeying, I'll break the first peer. Any ideas other than being a curmudgeon and really forcing the issue back onto them? Changing ipsec.conf and racoon.conf to /0 led to horrible results where nothing worked with these peers. The peers are Checkpoint and cisco, I think. Thanks, peter |