Paul,<br><br>Thanks for the reply. I attempted to use the %any before and I have always received an error when attempting to bring a connection up. I just tried modifying my allow-ssh connection and this is what happens...<br>
<br>root@oswan2 etc]# ipsec auto --up allow-ssh<br>031 "allow-ssh": cannot initiate connection with ID wildcards (kind=CK_TEMPLATE)<br><br>but if I change it back to /0 the vpn establishes.<br><br>I brought up allow-ssh and did the ip xfrm commands<br>
<br>oswan1 is .216<br>oswan2 is .217<br><br><b>[root@oswan2 etc]# ip xfrm policy</b><br>src <a href="http://192.168.100.216/32">192.168.100.216/32</a> dst <a href="http://192.168.100.217/32">192.168.100.217/32</a> proto tcp <br>
dir in priority 2080 <br> tmpl src 192.168.100.216 dst 192.168.100.217<br> proto esp reqid 16385 mode tunnel<br>src <a href="http://192.168.100.217/32">192.168.100.217/32</a> dst <a href="http://192.168.100.216/32">192.168.100.216/32</a> proto tcp <br>
dir out priority 2080 <br> tmpl src 192.168.100.217 dst 192.168.100.216<br> proto esp reqid 16385 mode tunnel<br>src <a href="http://192.168.100.216/32">192.168.100.216/32</a> dst <a href="http://192.168.100.217/32">192.168.100.217/32</a> proto tcp <br>
dir fwd priority 2080 <br> tmpl src 192.168.100.216 dst 192.168.100.217<br> proto esp reqid 16385 mode tunnel<br>src ::/0 dst ::/0 <br> dir in priority 0 <br>src <a href="http://0.0.0.0/0">0.0.0.0/0</a> dst <a href="http://0.0.0.0/0">0.0.0.0/0</a> <br>
dir in priority 0 <br>src <a href="http://0.0.0.0/0">0.0.0.0/0</a> dst <a href="http://0.0.0.0/0">0.0.0.0/0</a> <br> dir in priority 0 <br>src ::/0 dst ::/0 <br> dir out priority 0 <br>src <a href="http://0.0.0.0/0">0.0.0.0/0</a> dst <a href="http://0.0.0.0/0">0.0.0.0/0</a> <br>
dir out priority 0 <br>src <a href="http://0.0.0.0/0">0.0.0.0/0</a> dst <a href="http://0.0.0.0/0">0.0.0.0/0</a> <br> dir out priority 0 <br><br><b>[root@oswan2 etc]# ip xfrm state</b><br>src 192.168.100.216 dst 192.168.100.217<br>
proto esp spi 0x7fdd92ef reqid 16385 mode tunnel<br> replay-window 32 <br> auth hmac(sha1) 0x4cac01e0d24621e98ccab2e98708a7695f6ec18d<br> enc cbc(des3_ede) 0x33b86f0df54893ba274223c2f49d0abf195036468c3b9f52<br>
src 192.168.100.217 dst 192.168.100.216<br> proto esp spi 0x9c8fe2ce reqid 16385 mode tunnel<br> replay-window 32 <br> auth hmac(sha1) 0xaa044f5d1539a7f37f40d56d3298b5f0a6150e94<br> enc cbc(des3_ede) 0x474d49c0ec4811fb60b639e3d26b68e01eac01135a4b066c<br>
<br>also when I run <b>ipsec auto --status</b> for this connection I see<br><br>000 "allow-ssh": 192.168.100.217<192.168.100.217>[@oswan2,+S=C]:6/22...192.168.100.216<192.168.100.216>[@oswan1,+S=C]:6/0; erouted; eroute owner: #2<br>
<br><br>Maybe this info will help.<br><br>Phillip<br><br> <br><br><div class="gmail_quote">On Sat, Feb 21, 2009 at 2:45 PM, Paul Wouters <span dir="ltr"><<a href="mailto:paul@xelerance.com">paul@xelerance.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><div class="Ih2E3d">On Sat, 21 Feb 2009, Phillip Reeves wrote:<br>
<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
I would like be able to have traffic using specific ports to use different SA's similar to this post:<br>
<br>
<a href="https://lists.strongswan.org/pipermail/users/2008-October/002854.html" target="_blank">https://lists.strongswan.org/pipermail/users/2008-October/002854.html</a><br>
<br>
I have two boxes running rhel 5.2 and openswan 2.6.20 in a private lab using netkey protostack. Similar to the post above I would like to<br>
have traffic using tcp/22 use a set of SA's and tcp/23 use a set of SA's.<br>
<br>
Below is part of my ipsec.conf file to get this working<br>
<br>
conn allow-sshyeah<br>
phase2alg=null-sha1-96<br>
leftprotoport=6/22<br>
rightprotoport=6/0<br>
also=vpn-test<br>
<br>
conn allow-telnet<br>
phase2alg=3des-sha1-96<br>
leftprotoport=6/23<br>
rightprotoport=6/0<br>
also=vpn-test<br>
</blockquote>
<br>
</div><div class="Ih2E3d"><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
No matter what we try when attempting to distinguish traffic of the same protocol (wether udp or tcp), the traffic ends up using the same<br>
set of SA's. However, I can get the traffic to use different SA's if I breakup the traffic using ICMP, TCP and UDP rules in my ipsec.conf<br>
file as below...<br>
</blockquote>
<br></div>
Can you check with xfrm show policy and xfrm show state to see if the policies<br>
are right and the kernel is wrong, or whether the policy is wrong and the kernel<br>
is right?<br>
<br>
Also, instead of /0 what happens if you use /%any<br><font color="#888888">
<br>
Paul<br>
</font></blockquote></div><br>