Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 18 Nov 2003 15:32:39 -0000
From:      Helge Oldach <helge.oldach@atosorigin.com>
To:        jamie@tridentmicrosystems.co.uk
Cc:        freebsd-net@freebsd.org
Subject:   Re: Problem with Racoon/IPSec/Setkey - Routing to/from multiple n etwo rks
Message-ID:  <200311181527.QAA03150@galaxy.hbg.de.ao-srv.com>
In-Reply-To: <000801c3adba$17a09cb0$115dcfc2@nico> from Jamie Heckford at "Nov 18, 2003 10:55:26 am"
next in thread | previous in thread | raw e-mail | index | archive | help 
Jamie Heckford:
>Helge Oldach wrote:
>> Jamie Heckford:
>>> /usr/sbin/setkey -c << EOF
>>> flush;
>>> spdflush;
>>> spdadd ${LOCAL_NETWORK} ${STJUST_NETWORK} any -P out ipsec
>>> esp/tunnel/${LOCAL_OUTSIDE}-${STJUST_OUTSIDE}/require;
>>> spdadd ${STJUST_NETWORK} ${LOCAL_NETWORK} any -P in  ipsec
>>> esp/tunnel/${STJUST_OUTSIDE}-${LOCAL_OUTSIDE}/require;
>>> spdadd ${ALLNET_1} ${STJUST_NETWORK} any -P out ipsec
>>> esp/tunnel/${LOCAL_OUTSIDE}-${STJUST_OUTSIDE}/require;
>>> spdadd ${STJUST_NETWORK} ${ALLNET_1} any -P in  ipsec
>>> esp/tunnel/${STJUST_OUTSIDE}-${LOCAL_OUTSIDE}/require;
>>> spdadd ${LOCAL_NETWORK} ${BENELUX_NETWORK} any -P out ipsec
>>> esp/tunnel/${LOCAL_OUTSIDE}-${BENELUX_OUTSIDE}/require;
>>> spdadd ${BENELUX_NETWORK} ${LOCAL_NETWORK} any -P in ipsec
>>> esp/tunnel/${BENELUX_OUTSIDE}-${LOCAL_OUTSIDE}/require;
>>> spdadd ${ALLNET_1} ${BENELUX_NETWORK} any -P out ipsec
>>> esp/tunnel/${LOCAL_OUTSIDE}-${BENELUX_OUTSIDE}/require;
>>> spdadd ${BENELUX_NETWORK} ${ALLNET_1} any -P in ipsec
>>> esp/tunnel/${BENELUX_OUTSIDE}-${LOCAL_OUTSIDE}/require;
>>> EOF
>> 
>> Try using "unique" instead of "require".
>> 
>> Helge
>
>Thanks a lot Helge, this worked fine :)
>
>What does unique do instead of require..? 

Frankly, I never understood this in detail. "unique" appears to tie
together the SA and the policy and appears to ensure that the correct SA
is being used for a policy. But then I don't see what "require" would be
useful for at all, as the "unique" behaviour is what one usually wants
to achieve when using IKE (racoon).

Actually this question pops up every now and then, with always the same
answer. :-) For example, if you're talking against a Cisco VPN gateway,
you *must* use unique, otherwise it won't work at all.

Maybe somebody else can shed some light into the matter?

Helge

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200311181527.QAA03150>