[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
IPSEC via isakmpd with identical source networks
- To: misc_(_at_)_openbsd_(_dot_)_org
- Subject: IPSEC via isakmpd with identical source networks
- From: Ingbert Zan <Ingbert_(_dot_)_Zan_(_at_)_exasol_(_dot_)_com>
- Date: Wed, 05 Apr 2006 11:27:03 +0200
- Cc: zan <iz_(_at_)_exasol_(_dot_)_com>
- Organization: Exasol GmbH
- Reply-to: Ingbert_(_dot_)_Zan_(_at_)_exasol_(_dot_)_com
I have the problem to set up an OpenBSD 3.8
VPN Router with the following Network configuration:
10.0.0.0/8 ---| Box 1 |______ _____
|_______| | | |
_______ |_____|OBSD |____ 192.168.0.0/24
| | | |_____|
10.0.0.0/8 ---| Box 2 |_____|
On OpenBSD two isakmp daemons are running each of which
is able to make the connection to one of the external
VPN Routers with its own isakmpd.conf file.
I thought it is possible to direct the traffic from Box 1
through the enc0 interface and the traffic from Box 2
through the enc1 interface and source nat the two 10.0.0.0/8
networks to 22.214.171.124/8 and 126.96.36.199/8.
But all traffic goes through enc0 and it seems it's not
possible to distinguish between the two 10/8 networks on
When I start the two isakmpd one after another the last one wins
in the netstat -rn encap routing table.
"ipsecadm show" lists both Connections (4 SA).
If i make a ping through the Box which has the routing Table entry
(e.g Box 1) everything works well. If i make the ping through the other Box
the request goes to the destination in the 192.168.0.0/24 network,
but the reply goes out through Box 1.
Does anybody know how to distinguish between the two flows?
Of course it would be possible to NAT the two 10/8 networks
on Box 1 and 2.
Thanks in advance
Visit your host, monkey.org