[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: multiple peers using ipsecadm - follow up

To: misc_(_at_)_openbsd_(_dot_)_org
Subject: Re: multiple peers using ipsecadm - follow up
From: Jason Houx <coldiso_(_at_)_houx_(_dot_)_org>
Date: Thu, 4 Dec 2003 16:08:16 -0500 (EST)

I figured out the problem when using spi 100a works but using 100z or y or 
x does not.  I changed this from a letter to a number like 1001 1002 and 
everything works fine. Thought I would post my follow up.

Thanks for anyone that read the email :-)

Jason Houx



On Thu, 4 Dec 2003, Jason Houx wrote:

> Hi Misc,
> 
> 	First let me ask if it is possible to setup multiple ipsec tunnels 
> with ipsecadm.  I would assume so but need to ask.  I keep getting this 
> error:
> 
> pfkey: File exists
> 
> when trying to setup a hub and spoke ipsec vpn with ipsecadm.  I have put 
> my configs below with changed up address.  I have also tried with 
> different keeys per peer and have the same problem.  I get the first 4 
> lines of ipsecadm listed below in the first site.  Then as soon as i 
> insert the 5 line I get error "pfkey: File exists".  It seems to be based 
> soley on the -dst address but I am really stumped.  Any help would be 
> great.  I know I should use isakmpd and i started down that road but but 
> got stuck.  I tried ipsecadm with 2 peers and got it going so thought I 
> would expand it.
> 
> 
> 
> site1 = Main Branch
> ipsecadm new esp -spi 100a -src x.x.x.81 -dst y.y.y.130 -forcetunnel -enc 
> blf -keyfile /etc/isakmpd/keys/keyfile1
> ipsecadm new esp -spi 100b -src x.x.x.81 -dst y.y.y.100 -forcetunnel -enc 
> blf -keyfile /etc/isakmpd/keys/keyfile1
> ipsecadm new esp -spi 100c -src x.x.x.81 -dst y.y.y.131 -forcetunnel -enc 
> blf -keyfile /etc/isakmpd/keys/keyfile1
> 
> ipsecadm new esp -spi 100x -src y.y.y.130 -dst x.x.x.81 -forcetunnel -enc 
> blf -keyfile /etc/isakmpd/keys/keyfile1
> ipsecadm new esp -spi 100y -src y.y.y.100 -dst x.x.x.81 -forcetunnel -enc 
> blf -keyfile /etc/isakmpd/keys/keyfile1
> ipsecadm new esp -spi 100z -src y.y.y.131 -dst x.x.x.81 -forcetunnel -enc 
> blf -keyfile /etc/isakmpd/keys/keyfile1
> 
> 
> ipsecadm flow -out -require -proto esp -src x.x.x.81 -dst y.y.y.130 -addr 
> 10.7.1.0/24 10.7.2.0/24
> ipsecadm flow -in -require -proto esp -src x.x.x.81 -dst y.y.y.130 -addr 
> 10.7.2.0/24 10.7.1.0/24
> 
> ipsecadm flow -out -require -proto esp -src x.x.x.81 -dst y.y.y.100 -addr 
> 10.7.1.0/24 10.7.3.0/24
> ipsecadm flow -in -require -proto esp -src x.x.x.81 -dst y.y.y.100 -addr 
> 10.7.3.0/24 10.7.1.0/24
> 
> ipsecadm flow -out -require -proto esp -src x.x.x.81 -dst y.y.y.131 -addr 
> 10.7.1.0/24 10.7.4.0/24
> ipsecadm flow -in -require -proto esp -src x.x.x.81 -dst y.y.y.131 -addr 
> 10.7.4.0/24 10.7.1.0/24
> 
> -----------------------------------------------------------------------------------------------------------------------------
> 
> site2 = C G
> 
> ipsecadm new esp -spi 100a -src x.x.x.81 -dst x.x.x.130 -forcetunnel -enc 
> blf -keyfile /etc/isakmpd/keys/keyfile1
> ipsecadm new esp -spi 100z -src y.y.y.130 -dst x.x.x.81 -forcetunnel -enc 
> blf -keyfile /etc/isakmpd/keys/keyfile1
> 
> ipsecadm flow -out -require -proto esp -src y.y.y.130 -src x.x.x.81 
> 10.7.2.0/24 10.7.1.0/24
> ipsecadm flow -in -require -proto esp -src y.y.y.130 -src x.x.x.81 
> 10.7.1.0/24 10.7.2.0/24
> 
> -----------------------------------------------------------------------------------------------------------------------------
> 
> site3 = Ot
> 
> ipsecadm new est -spi 100b -src x.x.x.81 -dst y.y.y.100 -forcetunnel -enc 
> blf -keyfile /etc/isakmpd/keys/keyfile2
> ipsecadm new esp -spi 100y -src y.y.y.100 -dst x.x.x.81 -forcetunnel -enc 
> blf -keyfile /etc/isakmpd/keys/keyfile2
> 
> ipsecadm flow -out -require -proto esp -src y.y.y.100 -dst x.x.x.81 -addr 
> 10.7.3.0/24 10.7.1.0/24
> ipsecadm flow -in -require -proto esp -src y.y.y.100 -dst x.x.x.81 -addr 
> 10.7.1.0/24 10.7.3.0/24
> 
> -----------------------------------------------------------------------------------------------------------------------------
> 
> sit4 = Lip
> 
> ipsecadm new esp -spi 100c -src x.x.x.81 -dst y.y.y.131 -forcetunnel -enc 
> blf -keyfile /etc/isakmpd/keys/keyfile3
> ipsecadm new esp -spi 100x -src y.y.y.131 -dst x.x.x.81 -forcetunnel -enc 
> blf -keyfile /etc/isakmpd/keys/keyfile3
> 
> ipsecadm flow -out -require -proto esp -src y.y.y.131 -dst x.x.x.81 -addr 
> 10.7.4.0/24 10.7.1.0/24
> ipsecadm flow -in -require -proto esp -src y.y.y.131 -dst x.x.x.81 -addr 
> 10.7.1.0/24 10.7.4.0/24
> 
> 
> Thanks again,
> 
> Jason Houx

Follow-Ups:
- Re: multiple peers using ipsecadm - follow up
  - From: Balazs Nagy

References:
- multiple peers using ipsecadm
  - From: Jason Houx

Prev by Date: Re: Server mail!!
Next by Date: help with half-speed audio
Previous by thread: multiple peers using ipsecadm
Next by thread: Re: multiple peers using ipsecadm - follow up
Index(es):
- Date
- Thread

Visit your host, monkey.org