On 6/21/07, Phillip Hellewell <sshock@gmail.com> wrote:
On 4/24/07, Phillip Hellewell <sshock@gmail.com> wrote:

Thanks.  I think I may have got it almost working now.  The problem I am having now is when the remote side has two subnets.

The remote side has both 192.168.0.0/21 and 10.2.2.0/24 subnets.  If I start out by pinging something on the 192.168.0.0/21 subnet, I can thereafter ping anything on that subnet.  But if I then ping something on the 10.2.2.0/24 subnet I can thereafter only ping only on that subnet, and not on the 192.168.0.0/21 subnet anymore (until I bring down the vpn connections and start over).

 Is there any way to set it up so that there is only one vpn tunnel, even though the remote side has two subnets?

Here's my racoon.conf (with public IPs replaced by letters) if that helps.

Thanks,
Phillip

path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
log notify;
listen {
        isakmp a.b.c.d [500];
        strict_address;
}

# Connection addev
remote x.y.z.w {
        proposal {
                encryption_algorithm 3des;
                hash_algorithm sha1;
                authentication_method pre_shared_key;
                dh_group modp1536;
        }

        my_identifier fqdn "mydomain.com";
        verify_identifier on;
        lifetime time 8 hour;
        peers_identifier address x.y.z.w;
        exchange_mode main;
}

sainfo address a.b.c.d[any] any address 10.2.2.0/24[any] any {
        pfs_group modp1536;
        lifetime time 30 min;
        encryption_algorithm 3des;
        authentication_algorithm hmac_sha1;
        compression_algorithm deflate;
}

# Connection ad
sainfo address a.b.c.d[any] any address 192.168.0.0/21[any] any {
        pfs_group modp1536;
        lifetime time 30 min;
        encryption_algorithm 3des;
        authentication_algorithm hmac_sha1;
        compression_algorithm deflate;
}