Menu
▾
▴
Re: [Ipsec-tools-devel] Tunnel over Tunnel
|
From: Aidas K. <a.k...@gm...> - 2004-09-02 11:33:51
|
Linux kernel do not combine transformations configured using different=20 spdadd directives. But you may try to setup policy as spdadd host_A host_B any -P out esp/tunnel/host_A-router/unique=20 esp/tunnel/host_A-host_B/unique; [ not sure which esp directive should go first (but order is important), = never did that for my config, so it may even not work at all ] And don't forget to setup coresponding "in" policy. Juan Antonio Mart=C3=ADnez Navarro wrote: > Hi, > I use Linux (Kernel 2.6.7). I have an ipsec tunnel to a router. This > router sends all the traffic to Internet. Now I want to make another > tunnel to an specific host. So the traffic that Host A sends to Host B > will be into two tunnels. >=20 > -------- -------- -------- > | | | | | | > |HOST A| |ROUTER| |HOST B| > | | | | | | > -------- -------- -------- > | | | > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D | > TUNNEL 1 | > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D > ---DATA--- TUNNEL 2 > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D >=20 > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D >=20 > When I set this politics in setkey.conf I see that only applys one rule= , > so Host A only sends data into TUNNEL 1. But it doesn't sends into the > TUNNEL2. > Is it possible to apply more than one rule? > Thanks. >=20 > SETKEY.CONF > ------------ > # /etc/racoon/setkey.conf (=C3=B3 etc/ipsec.conf) >=20 > # Flush the SAD and SPD entries > flush; > spdflush; >=20 > spdadd 2001:720:1710:0:202:b3ff:feb8:1857/128 > 2002::202:b3ff:fe1c:e65b/128 tcp -P out ipsec > esp/tunnel/2001:720:1710:0:202:b3ff:feb8:1857-2002::202:b3ff:fe1c:e65b/= require ; > spdadd 2002::202:b3ff:fe1c:e65b/128 > 2001:720:1710:0:202:b3ff:feb8:1857/128 tcp -P in ipsec > esp/tunnel/2002::202:b3ff:fe1c:e65b-2001:720:1710:0:202:b3ff:feb8:1857/= require ; >=20 > spdadd 2001:720:1710:0:202:b3ff:feb8:1857/128 > 2002::202:b3ff:fe1c:e65b/128 udp -P out ipsec > esp/tunnel/2001:720:1710:0:202:b3ff:feb8:1857-2002::202:b3ff:fe1c:e65b/= require ; > spdadd 2002::202:b3ff:fe1c:e65b/128 > 2001:720:1710:0:202:b3ff:feb8:1857/128 udp -P in ipsec > esp/tunnel/2002::202:b3ff:fe1c:e65b-2001:720:1710:0:202:b3ff:feb8:1857/= require ; >=20 > spdadd 2001:720:1710:0:202:b3ff:feb8:1857/128 0::0/0 tcp -P out ipsec > esp/tunnel/2001:720:1710:0:202:b3ff:feb8:1857-2001:720:1710:0:202:b3ff:= fe60:206e/require ; > spdadd 0::0/0 2001:720:1710:0:202:b3ff:feb8:1857/128 tcp -P in ipsec > esp/tunnel/2001:720:1710:0:202:b3ff:fe60:206e-2001:720:1710:0:202:b3ff:= feb8:1857/require ; >=20 > spdadd 2001:720:1710:0:202:b3ff:feb8:1857/128 0::0/0 udp -P out ipsec > esp/tunnel/2001:720:1710:0:202:b3ff:feb8:1857-2001:720:1710:0:202:b3ff:= fe60:206e/require ; > spdadd 0::0/0 2001:720:1710:0:202:b3ff:feb8:1857/128 udp -P in ipsec > esp/tunnel/2001:720:1710:0:202:b3ff:fe60:206e-2001:720:1710:0:202:b3ff:= feb8:1857/require ; > ------------------------------------------------------ >=20 >=20 >=20 > ------------------------------------------------------- > This SF.Net email is sponsored by BEA Weblogic Workshop > FREE Java Enterprise J2EE developer tools! > Get your free copy of BEA WebLogic Workshop 8.1 today. > http://ads.osdn.com/?ad_idP47&alloc_id=10808&op=3Dclick > _______________________________________________ > Ipsec-tools-devel mailing list > Ips...@li... > https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel --=20 Aidas Kasparas IT administrator GM Consult Group, UAB |