Thanks Stephen,

That pointed me directly at what I needed to know.

My system now correctly uses the two pairs of SPI entries between the connections.

Again, thanks.

On 31 Mar 2011 19:25, "Stephen Clark" <sclark46@earthlink.net> wrote:
> On 03/31/2011 01:12 PM, JL wrote:
>> Hi,
>>
>> I have several VPN setups where there are multiple SPD entries that
>> point to the same tunnel.
>>
>> Imagine a VPN endpoint which:
>> Has the network 10.1.1.0/24 locally, and provides VPN for
>> Has the network 10.2.2.0/24 locally, and provides VPN for
>> Has the address 1.1.1.1 as the tunnel endpoint
>> And communicates with a VPN endpoint which:
>> Has the network 172.16.0.0/24 locally, and provides VPN for
>> Has the address 2.2.2.2 as the tunnel endpoint
>>
>>
>> So, on my end, I would have:
>> $ setkey -D -P
>> 10.1.1.0/24[any] 172.16.0.0/24[any] any
>> out prio def ipsec
>> esp/tunnel/1.1.1.1-2.2.2.2/require
>> created: Mar 18 20:25:46 2011 lastused: Mar 28 18:21:40 2011
>> lifetime: 0(s) validtime: 0(s)
>> spid=1111 seq=1 pid=13817
>> refcnt=1
>> 172.16.0.0/24[any] 10.1.1.0/24[any] any
>> in prio def ipsec
>> esp/tunnel/2.2.2.2-1.1.1.1/require
>> created: Mar 18 20:25:46 2011 lastused: Mar 28 18:21:40 2011
>> lifetime: 0(s) validtime: 0(s)
>> spid=1112 seq=2 pid=13817
>> refcnt=1
>> 172.16.0.0/24[any] 10.1.1.0/24[any] any
>> fwd prio def ipsec
>> esp/tunnel/2.2.2.2-1.1.1.1/require
>> created: Mar 18 20:25:46 2011 lastused: Mar 28 18:21:40 2011
>> lifetime: 0(s) validtime: 0(s)
>> spid=1113 seq=3 pid=13817
>> refcnt=1
>> 10.2.2.0/24[any] 172.16.0.0/24[any] any
>> out prio def ipsec
>> esp/tunnel/1.1.1.1-2.2.2.2/require
>> created: Mar 18 20:25:46 2011 lastused: Mar 28 18:21:40 2011
>> lifetime: 0(s) validtime: 0(s)
>> spid=1114 seq=4 pid=13817
>> refcnt=1
>> 172.16.0.0/24[any] 10.2.2.0/24[any] any
>> in prio def ipsec
>> esp/tunnel/2.2.2.2-1.1.1.1/require
>> created: Mar 18 20:25:46 2011 lastused: Mar 28 18:21:40 2011
>> lifetime: 0(s) validtime: 0(s)
>> spid=1115 seq=5 pid=13817
>> refcnt=1
>> 172.16.0.0/24[any] 10.2.2.0/24[any] any
>> fwd prio def ipsec
>> esp/tunnel/2.2.2.2-1.1.1.1/require
>> created: Mar 18 20:25:46 2011 lastused: Mar 28 18:21:40 2011
>> lifetime: 0(s) validtime: 0(s)
>> spid=1116 seq=6 pid=13817
>> refcnt=1
>>
>>
>> And after ISAKMP;
>> $ setkey -D
>> 1.1.1.1 2.2.2.2
>> esp mode=tunnel spi=230879652(0x0dc2f1a4) reqid=0(0x00000000)
>> ... more details ...
>> 2.2.2.2 1.1.1.1
>> esp mode=tunnel spi=173461898(0x0a56d18a) reqid=0(0x00000000)
>> ... more details ...
>>
>> This works fine when both ends are Linux.
>>
>>
>> However, I have recently connected this up to a Cisco 3015. The Cisco
>> initiates *two* ISAKMP sessions (one with the first packet to one of
>> the 10.x.x.x networks, and the other with the first packet to the
>> other 10.x.x.x network), and I end up with:
>>
>> $ setkey -D
>> 1.1.1.1 2.2.2.2
>> esp mode=tunnel spi=242164931(0x0e6f24c3) reqid=0(0x00000000)
>> ... more details ...
>> 2.2.2.2 1.1.1.1
>> esp mode=tunnel spi=250074409(0x0ee7d529) reqid=0(0x00000000)
>> ... more details ...
>> 1.1.1.1 2.2.2.2
>> esp mode=tunnel spi=230879652(0x0dc2f1a4) reqid=0(0x00000000)
>> ... more details ...
>> 2.2.2.2 1.1.1.1
>> esp mode=tunnel spi=173461898(0x0a56d18a) reqid=0(0x00000000)
>> ... more details ...
>>
>> The Cisco will then send traffic for whichever network was used first,
>> using SPI 0x0a56d18a, which the Linux box will drop, as it expects SPI
>> 0x0ee7d529.
>>
>> Is this an issue anyone else here has come up against? Is there a way
>> I can modify my end to accept both SPIs? Or is anyone familiar enough
>> with Cisco 3015s to change that end?
>>
>> Any help will be greatly appreciated; I can't really see where to go from here.
>>
>> Thanks.
>>
> Have you tried using unique instead of require on your policies?
>
> --
>
> "They that give up essential liberty to obtain temporary safety,
> deserve neither liberty nor safety." (Ben Franklin)
>
> "The course of history shows that as a government grows, liberty
> decreases." (Thomas Jefferson)
>
>
>