Im not having a problem with this yet, but i was securing the racoon configuration at the same time im trying to fully understand it. The situation im trying to solve now is this: two branch offices with dynamic ip address (ADSL) are connected to our network via an IPSEC tunnel, the tunnel is a network to network tunnels (ie: branch office can see computers in our networks and vice-versa). Of course i had to use certificates for autentication and generate_policy.
Everything is working fine, but... let's say i configure the branch office 2 network (172.20.1.0/24) exactly like the branch office 1 network (172.16.10.0/24
). If branch office 2 negotiates the tunnel first, it would prevent branch office 1 from connecting to our network since a policy for their network (172.16.10.0/24) was established by the evil branch office 2.
I read the manual and found this "from" clause in the sainfo directive, but no clue of what it does. My guess was that its to prevent the previous situation, i did some experiments on a lab but they failed because racoon couldnt get a valid sainfo for the tunnel (on endpoint_1, i added from fqdn "
endpoint2.domain"). Removing the "from" clause made the tunnel work on my lab environment.
I'll continue the tests tomorrow, but it will really help me if someone who has used this clause explain me how it works or, point me to some documentation (other than the source code :)).
Thanks in advance.