From owner-freebsd-net@FreeBSD.ORG Tue May 9 03:04:31 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8ACC716A405 for ; Tue, 9 May 2006 03:04:31 +0000 (UTC) (envelope-from fox@verio.net) Received: from dfw-smtpout4.email.verio.net (dfw-smtpout4.email.verio.net [129.250.36.44]) by mx1.FreeBSD.org (Postfix) with ESMTP id 84D8943D4C for ; Tue, 9 May 2006 03:04:30 +0000 (GMT) (envelope-from fox@verio.net) Received: from [129.250.36.63] (helo=dfw-mmp3.email.verio.net) by dfw-smtpout4.email.verio.net with esmtp id 1FdIWT-0002MO-Qb for freebsd-net@freebsd.org; Tue, 09 May 2006 03:04:29 +0000 Received: from [129.250.40.241] (helo=limbo.int.dllstx01.us.it.verio.net) by dfw-mmp3.email.verio.net with esmtp id 1FdIWT-0006d6-M2 for freebsd-net@freebsd.org; Tue, 09 May 2006 03:04:29 +0000 Received: by limbo.int.dllstx01.us.it.verio.net (Postfix, from userid 1000) id 4FE7F8E2E6; Mon, 8 May 2006 22:04:29 -0500 (CDT) Date: Mon, 8 May 2006 22:04:29 -0500 From: David DeSimone To: freebsd-net@freebsd.org Message-ID: <20060509030428.GA16965@verio.net> Mail-Followup-To: freebsd-net@freebsd.org References: <20060508220101.GA15248@verio.net> <445FDB7B.1060704@astralblue.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <445FDB7B.1060704@astralblue.net> Precedence: bulk User-Agent: Mutt/1.5.9i Subject: Re: IPSEC Interop problem with Cisco using multiple SA's X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 May 2006 03:04:31 -0000 Eugene M. Kim wrote: > > I haven't tried this myself, but you may want to try using > "unique:" instead of "require" as the policy level After reading up on this behavior, I gave it a try, replacing all "require" policies with "unique". I found that there was no need to set a policy identifier, as the system apparently chooses a random identifier if none is specified, and so all SPD's create unique SAD's as a result. The result leads to exactly the behavior that I (and Cisco) expect to see, and my mutiple tunnels are now fully operational. Thank you for the help with this! -- David DeSimone == Network Admin == fox@verio.net "It took me fifteen years to discover that I had no talent for writing, but I couldn't give it up because by that time I was too famous. -- Robert Benchley