On 06/28/2012 05:29 AM, Sumit Kaur wrote:

Hi,

We have below setup :-

There are 2 tunnels created between end points A (of Node1)and B(of Node2).

A(Node1) has got 2 ip-addresses say, x and y

B(Node2) has got only 1 ip-address say, z

The tunnels are between A and B but tunnel1 's endponts are x and z. And tunnel2's endpoints are y and z.
 
At Node1, racoon.conf gets only one remote entry i.e. for z

remote z

{

}

, whereas the expected behaviour is to have two remote z {} sections because there are two different set of IKE phase1 parameters for the same remote.

Because of this racoon fails to establish proper proposals, and traffic fails.

We tried manually editing racoon.conf to have multiple remote z {} sections, each for the separate set of tunnels, but even there there are problems seen.
 
So, wanted to check if racoon really supports this kind of setup where we need to configure different IKE phase 1 parameters for same remote end point, i.e. having multilple remote z{} sections in racoon.conf?
 
 
Thanks

Sumit

------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________ Ipsec-tools-devel mailing list Ipsec-tools-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel
This is doable - we do it all the time.
We just assign alias internal addresses to make proposal be unique.

remote 216.xxx.xxx.xxx
{
        exchange_mode main,aggressive;
        doi ipsec_doi;
        situation identity_only;
        my_identifier address;
        peers_identifier address;
        nonce_size 16;
        lifetime time 6000 sec;
        initial_contact on;
        support_proxy on;
        proposal_check obey;
        proposal {
                encryption_algorithm 3des;
                hash_algorithm sha1;
                authentication_method pre_shared_key;
                dh_group 2;
        }
}

sainfo address 10.255.10.15 any address 10.255.100.40 any
{
        pfs_group 1;
        lifetime time 3600 sec;
        encryption_algorithm 3des;
        authentication_algorithm hmac_sha1;
        compression_algorithm deflate;
}

sainfo address 10.255.100.40 any address 10.255.10.15 any
{
        pfs_group 1;
        lifetime time 3600 sec;
        encryption_algorithm 3des;
        authentication_algorithm hmac_sha1;
        compression_algorithm deflate;
}

remote 63.xxx.xxx.xxx
{
        exchange_mode main,aggressive;
        doi ipsec_doi;
        situation identity_only;
        my_identifier address;
        peers_identifier address;
        nonce_size 16;
        lifetime time 6000 sec;
        initial_contact on;
        support_proxy on;
        proposal_check obey;
        proposal {
                encryption_algorithm 3des;
                hash_algorithm sha1;
                authentication_method pre_shared_key;
                dh_group 2;
        }
}

sainfo address 10.255.4.10 any address 10.255.253.0/24 any
{
        lifetime time 3600 sec;
        encryption_algorithm 3des;
        authentication_algorithm hmac_sha1;
        compression_algorithm deflate;
}

sainfo address 10.255.253.0/24 any address 10.255.4.10 any
{
        lifetime time 3600 sec;
        encryption_algorithm 3des;
        authentication_algorithm hmac_sha1;
        compression_algorithm deflate;
}
(



-- 

"They that give up essential liberty to obtain temporary safety, 
deserve neither liberty nor safety."  (Ben Franklin)

"The course of history shows that as a government grows, liberty 
decreases."  (Thomas Jefferson)