Re: multiple Local-IDs for isakmpd

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: multiple Local-IDs for isakmpd

Brian A. Seklecki
I opened a PR on this earlier this year.  Seach my last name in
query-pr.

The Cisco 3000 supports SA Proposals with multiple discontiguous
subnets.

~BAS

On Tue, 2005-06-07 at 20:54, Tamas TEVESZ wrote:

> hi,
>
> i have a situation where a branch office with multiple,
> non-overlapping, non-aggregatable local networks need to connect to
> the head office, via an ipsec tunnel. "of course", the security
> gateway is also acting as a gateway to the internet (nat and the usual
> collateral stuff), and, as a matter of fact, some of the "local"
> networks are connected to it via openvpn (that is, it itself is a vpn
> concentrator of sorts, for openvpn tunnels).
>
> rough sketch:
>
>   -- branch office --              |             | -- head office --
>                                    |             |
> 172.16.187.0/24 -                  |             |
> 172.19.47.0/24   \   +-----------+ |             | +-----------+
>                   +- |security gw| - (ipsec tun) - |security gw| - ...
> 192.168.114.0/24 /   +--------+--+ |             | +-----------+
> 192.168.2.0/24  -             |
>                               \
>                                ---- (internet etc..)
>
> it may also be the case that at the head office end, there will be
> more than one hosts/networks to be accessed, this is not clarified
> yet. i am not in control of the head office's concentrator, but i know
> that they are using a cisco 3060.
>
> how is this realized within isakmpd's configuration? i already have
> tried putting more than one ipv4_addr_subnets into the ipsec-id
> section, and even more than one ipsec-id section, but isakmpd throw
> them out (not surprise).
>
> if this cannot be realized within isakmpd, what other options do i
> have? pf route-tos/reply-tos are about the only thing i can think
> of... anything else?
>
> tia,

Reply | Threaded
Open this post in threaded view
|

Re: multiple Local-IDs for isakmpd

Håkan Olsson
On 5 dec 2005, at 02.57, Brian A. Seklecki wrote:

> I opened a PR on this earlier this year.  Seach my last name in
> query-pr.
>
> The Cisco 3000 supports SA Proposals with multiple discontiguous
> subnets.

The IKE protocol does not. In fact subnets are not part of SA  
proposals. (They're phase2 IDs.)

One IPsec tunnel cannot manage more than one set of network to  
network traffic. If you have two  subnets at each site, you'll need  
to configure four tunnels, etc.

For the problem at hand, one specifies multiple entries in [Phase  
2]:Connections, plus their config sections. There, multiple  
discontigous subnets. :)

(Granted, isakmpd configuration could (like Cisco) support an easier  
way of configuring multiple networks. This may happen someday.)

You could also take a look at ipsecctl(8).

/H

>
> On Tue, 2005-06-07 at 20:54, Tamas TEVESZ wrote:
>> hi,
>>
>> i have a situation where a branch office with multiple,
>> non-overlapping, non-aggregatable local networks need to connect to
>> the head office, via an ipsec tunnel. "of course", the security
>> gateway is also acting as a gateway to the internet (nat and the  
>> usual
>> collateral stuff), and, as a matter of fact, some of the "local"
>> networks are connected to it via openvpn (that is, it itself is a vpn
>> concentrator of sorts, for openvpn tunnels).
>>
>> rough sketch:
>>
>>   -- branch office --              |             | -- head office --
>>                                    |             |
>> 172.16.187.0/24 -                  |             |
>> 172.19.47.0/24   \   +-----------+ |             | +-----------+
>>                   +- |security gw| - (ipsec tun) - |security gw|  
>> - ...
>> 192.168.114.0/24 /   +--------+--+ |             | +-----------+
>> 192.168.2.0/24  -             |
>>                               \
>>                                ---- (internet etc..)
>>
>> it may also be the case that at the head office end, there will be
>> more than one hosts/networks to be accessed, this is not clarified
>> yet. i am not in control of the head office's concentrator, but i  
>> know
>> that they are using a cisco 3060.
>>
>> how is this realized within isakmpd's configuration? i already have
>> tried putting more than one ipv4_addr_subnets into the ipsec-id
>> section, and even more than one ipsec-id section, but isakmpd throw
>> them out (not surprise).
>>
>> if this cannot be realized within isakmpd, what other options do i
>> have? pf route-tos/reply-tos are about the only thing i can think
>> of... anything else?
>>
>> tia,
>

/H