[opennhrp-devel] using a single pre-shared ISAKMP key for multiple remote spokes
Brought to you by:
fabled80
From: Frank R. <fre...@ce...> - 2011-11-22 04:30:01
|
Hello, I'm using opennhrp in CentOS 6.0 as a spoke to communicate with a Cisco Hub and many other Cisco Spokes. All is well and dynamic spoke-to-spoke tunneling (both GRE and IPSec) is operational. Additionally, multicast is operational (I'm using ospf and pim-dm for routing), although this did require recompiling the kernel to remove the GRE patch introduced by opennhrp. I'm writing in search for an optimization to the psk.txt file called by racoon.conf. The only want I have found to get dynamic spoke-to-spoke IPSec tunnels working is to list individual lines for all spokes in the psk.txt file. For example: 172.16.1.1 this-is-my-key 172.16.1.2 this-is-my-key ... 172.16.1.n this-is-my-key On Cisco routers, there is a capability to use a single ISAKMP key with an entire subnet, such as: crypto isakmp key this-is-my-key address 172,16,1,0 255.255.255.0 OR crypto isakmp key this-is-my-key address 0.0.0.0 0.0.0.0 (allows any IP to connect with this ISAKMP key) A similar option does not appear to be availalbe in the psk.txt file associated with racoon. Am I missing something, or is this an actual limitation or racoon? Thanks for the assistance. frank |