multiple peers using ipsecadm

[Jason Houx <coldiso_(_at_)_houx_(_dot_)_org>]

Hi Misc,

	First let me ask if it is possible to setup multiple ipsec tunnels 
with ipsecadm.  I would assume so but need to ask.  I keep getting this 
error:

pfkey: File exists

when trying to setup a hub and spoke ipsec vpn with ipsecadm.  I have put 
my configs below with changed up address.  I have also tried with 
different keeys per peer and have the same problem.  I get the first 4 
lines of ipsecadm listed below in the first site.  Then as soon as i 
insert the 5 line I get error "pfkey: File exists".  It seems to be based 
soley on the -dst address but I am really stumped.  Any help would be 
great.  I know I should use isakmpd and i started down that road but but 
got stuck.  I tried ipsecadm with 2 peers and got it going so thought I 
would expand it.



site1 = Main Branch
ipsecadm new esp -spi 100a -src x.x.x.81 -dst y.y.y.130 -forcetunnel -enc 
blf -keyfile /etc/isakmpd/keys/keyfile1
ipsecadm new esp -spi 100b -src x.x.x.81 -dst y.y.y.100 -forcetunnel -enc 
blf -keyfile /etc/isakmpd/keys/keyfile1
ipsecadm new esp -spi 100c -src x.x.x.81 -dst y.y.y.131 -forcetunnel -enc 
blf -keyfile /etc/isakmpd/keys/keyfile1

ipsecadm new esp -spi 100x -src y.y.y.130 -dst x.x.x.81 -forcetunnel -enc 
blf -keyfile /etc/isakmpd/keys/keyfile1
ipsecadm new esp -spi 100y -src y.y.y.100 -dst x.x.x.81 -forcetunnel -enc 
blf -keyfile /etc/isakmpd/keys/keyfile1
ipsecadm new esp -spi 100z -src y.y.y.131 -dst x.x.x.81 -forcetunnel -enc 
blf -keyfile /etc/isakmpd/keys/keyfile1


ipsecadm flow -out -require -proto esp -src x.x.x.81 -dst y.y.y.130 -addr 
10.7.1.0/24 10.7.2.0/24
ipsecadm flow -in -require -proto esp -src x.x.x.81 -dst y.y.y.130 -addr 
10.7.2.0/24 10.7.1.0/24

ipsecadm flow -out -require -proto esp -src x.x.x.81 -dst y.y.y.100 -addr 
10.7.1.0/24 10.7.3.0/24
ipsecadm flow -in -require -proto esp -src x.x.x.81 -dst y.y.y.100 -addr 
10.7.3.0/24 10.7.1.0/24

ipsecadm flow -out -require -proto esp -src x.x.x.81 -dst y.y.y.131 -addr 
10.7.1.0/24 10.7.4.0/24
ipsecadm flow -in -require -proto esp -src x.x.x.81 -dst y.y.y.131 -addr 
10.7.4.0/24 10.7.1.0/24

-----------------------------------------------------------------------------------------------------------------------------

site2 = C G

ipsecadm new esp -spi 100a -src x.x.x.81 -dst x.x.x.130 -forcetunnel -enc 
blf -keyfile /etc/isakmpd/keys/keyfile1
ipsecadm new esp -spi 100z -src y.y.y.130 -dst x.x.x.81 -forcetunnel -enc 
blf -keyfile /etc/isakmpd/keys/keyfile1

ipsecadm flow -out -require -proto esp -src y.y.y.130 -src x.x.x.81 
10.7.2.0/24 10.7.1.0/24
ipsecadm flow -in -require -proto esp -src y.y.y.130 -src x.x.x.81 
10.7.1.0/24 10.7.2.0/24

-----------------------------------------------------------------------------------------------------------------------------

site3 = Ot

ipsecadm new est -spi 100b -src x.x.x.81 -dst y.y.y.100 -forcetunnel -enc 
blf -keyfile /etc/isakmpd/keys/keyfile2
ipsecadm new esp -spi 100y -src y.y.y.100 -dst x.x.x.81 -forcetunnel -enc 
blf -keyfile /etc/isakmpd/keys/keyfile2

ipsecadm flow -out -require -proto esp -src y.y.y.100 -dst x.x.x.81 -addr 
10.7.3.0/24 10.7.1.0/24
ipsecadm flow -in -require -proto esp -src y.y.y.100 -dst x.x.x.81 -addr 
10.7.1.0/24 10.7.3.0/24

-----------------------------------------------------------------------------------------------------------------------------

sit4 = Lip

ipsecadm new esp -spi 100c -src x.x.x.81 -dst y.y.y.131 -forcetunnel -enc 
blf -keyfile /etc/isakmpd/keys/keyfile3
ipsecadm new esp -spi 100x -src y.y.y.131 -dst x.x.x.81 -forcetunnel -enc 
blf -keyfile /etc/isakmpd/keys/keyfile3

ipsecadm flow -out -require -proto esp -src y.y.y.131 -dst x.x.x.81 -addr 
10.7.4.0/24 10.7.1.0/24
ipsecadm flow -in -require -proto esp -src y.y.y.131 -dst x.x.x.81 -addr 
10.7.1.0/24 10.7.4.0/24


Thanks again,

Jason Houx