Menu
▾
▴
Re: [Ipsec-tools-devel] roadwarrior problems: multiple subnets and multiple authentication methods
|
From: VANHULLEBUS Y. <va...@fr...> - 2006-03-04 12:55:48
|
On Sat, Mar 04, 2006 at 01:25:05PM +0100, Henning Holtschneider wrote: > Hi, > > I'm trying to move several IPsec connections from a machine running > Openswan to a VPN gateway running racoon (ipsec-tools 0.5.2 from Debian > Sarge). Everything works fine, but I've got two issues with roadwarriors: > > First of all, I've got roadwarriors running Windows XP using Marcus > Mueller's ipsec.exe. The connections work fine as long as the roadwarriors > only connect to one subnet. As soon as I add a second connection > description to another subnet on the Windows machines, I cannot connect to > both subnets at the same time. When the first packet for the second subnet > arrives on the Linux machine, racoon seems to purge the security policy for > the first subnet. I have to delete the SAs or wait for them to expire to be > able to connect to the first subnet again. Am I doing something wrong? Is > the behaviour by design? Can this be changed? This is probably a require/unique problem. Generating "unique" policies is a new feature which is only in ipsec-tools HEAD for the moment (and which will be included in 0.7). > The second problem regards roadwarriors with different authentication > methods. Most of my roadwarriors use X.509 certificates, but there are some > which only support plain RSA keys or preshared keys. However, racoon will > not let me define either multiple "remote anonymous" definitions nor does > it support multiple authentication methods in one "remote anonymous" > section. How can I overcome this problem? I don't think there is actually a solution for that problem. Support for multiple "remote anonymous" has already been asked, but afaik, nobody really had time to work on that for now. Yvan. |