On Sun, May 03, 2020 at 01:07:56PM +0200, Florian Weber wrote:
> Good morning,
>
> I am trying to connect to remote locations to our main responder. The issue
> I am facing is that I can connect each site individually without any issue,
> however, I cannot connect both sides at the same time. The sides are connect
> to the Internet via dial-up connections with dynamic IPs from the same
> provider. Hence, creating a specific peer rule for each site doesn't work.
> Is there a way to have both sites connect to the responder? With the confs
> as below, only site B can connect, while site A fails since it uses the
> "main_to_siteB" conf on the responder. If I add quick to the "main_to_siteA"
> conf on the responder, site A works but B fails as it uses the site A
> config. Responder and both initiators run on 6.6 stable.
>
> Any help or suggestions are greatly appreciated.
>
> Best,
>
> Florian
Hi Florian,
the responder needs some way to know if an incoming handshake is meant for
policy 'main_to_siteA' or 'main_to_siteB'. The peer's IP is not helpful in
this case as it is the same for both policies.
This is why IKEv2 uses IDs (as in srcid and dstid) to uniquely identify peers.
On the initiator side everything looks correct, A and B have unique srcids.
What seems to be missing is the dstid on the responder side which could be
understood as: For initiators sending the ID $dstid, match this policy.
Setting dstid to the matching initiators srcid should help:
ikev2 'main_to_siteA' passive ipcomp esp \
from 0.0.0.0/0 to 10.8.2.1/32 \
from 0.0.0.0/0 to 192.168.30.0/24 \
from 0.0.0.0/0 to 192.168.37.0/24 \
from 0.0.0.0/0 to 10.253.0.0/24 \
local A.B.C.D peer $provider \
srcid A.B.C.D dstid E.F.G.H \
psk "siteApass" \
tag "$name-$id"
ikev2 'main_to_siteB' passive ipcomp esp \
from 0.0.0.0/0 to 10.8.1.1/32 \
from 0.0.0.0/0 to 192.168.41.0/24 \
from 0.0.0.0/0 to 192.168.47.0/24 \
local A.B.C.D peer $provider \
srcid A.B.C.D dstid I.J.K.L \
psk "siteBpass" \
tag "$name-$id"
No comments:
Post a Comment