Learn how easy it is to sync an existing GitHub or Google Code repo to a SourceForge project! See Demo

Close

#31 Only one host accesable from two configured

closed
nobody
5
2006-02-26
2006-02-24
vkangin
No

Linux Fedora Core 4 x86_64 2.6.15-1.1831_FC4

ipsec-tools-0.5-4

The network is shown on attached digram.

Configs

@D

#setkey -c
flush;
spdflush;
spdadd D A any -P out ipsec esp/tunnel/D-C/require;
spdadd D B any -P out ipsec esp/tunnel/D-C/require;
spdadd A D any -P in ipsec esp/tunnel/C-D/require;
spdadd B D any -P in ipsec esp/tunnel/C-D/require;

#cat /etc/recoon/racoon.conf
path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/cert";
log debug2;

padding
{
maximum_length 20; # maximum padding length.
randomize off; # enable randomize length.
strict_check off; # enable strict check.
exclusive_tail off; # extract last one octet.
}

listen
{
isakmp D [500];
}

timer
{
counter 5; # maximum trying count
to send.
interval 20 sec; # maximum interval to
resend.
persend 1; # the number of packets
per a send.
phase1 30 sec;
phase2 15 sec;
}

remote C
{
exchange_mode main,aggressive;
doi ipsec_doi;
situation identity_only;

my_identifier address D;

nonce_size 16;
lifetime time 24 hour; # sec,min,hour
initial_contact on;
proposal_check obey; # obey, strict or claim

proposal {
encryption_algorithm 3des;
hash_algorithm md5;
authentication_method pre_shared_key;
dh_group 2;
}
}

sainfo address D any address A any
{
pfs_group 2;
lifetime time 1 hour;
encryption_algorithm 3des;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
}

sainfo address D any address B any
{
pfs_group 2;
lifetime time 1 hour;
encryption_algorithm 3des;
authentication_algorithm hmac_md5;
compression_algorithm deflate;

@C
crypto isakmp policy 6
encr 3des
hash md5
authentication pre-share
group 2

crypto isakmp key 1234123412341234 address D

ip access-list extended Test
permit ip host A host D
permit ip host B host D

crypto map rtp 62 ipsec-isakmp
set peer D
set transform-set rtp3des
match address Test

ip access-list extended INBOUND
remark *** Test VPN ***
permit esp host D host C
permit udp host D host C eq isakmp

The problem is that D could access only either A or B
at the time depending from how VPN has been initiated.
Basically when after start D connects to A then it
could communicate only with A as long as need. While if
D after start connects to B then it could communicate
only with B as long as need.

I guess my configuration have a problem and probubly
separated SPI are not created for each host.

Please advice.

v at kangin org

Discussion

  • vkangin
    vkangin
    2006-02-24

    Network diagram

     
    Attachments
  • Aidas Kasparas
    Aidas Kasparas
    2006-02-25

    Logged In: YES
    user_id=39627

    try to change require to unique in all your policies @D.
    This is required if other side *swan; maybe this is the case
    for cisco (?) too (have not seen problem reports before).

     
  • vkangin
    vkangin
    2006-02-26

    • status: open --> closed
     
  • vkangin
    vkangin
    2006-02-26

    Logged In: YES
    user_id=1249803

    Thanx monas,

    Yes you right, it solve the problem, thanks.

    Resolving ticket.
    vkangin