<html>
<head>
<style>
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 10pt;
font-family:Verdana
}
</style>
</head>
<body class='hmmessage'>
Hi !<br> You can use the "include" parameter in ipsec.conf to add multliple configuration files and each configuration file can have a different remote peer ip address , authentication , encryption and subnets.<br><br>ex:<br>My /etc/ipsec.conf <br style="background-color: rgb(0, 0, 191);"><span style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);">version 2.0 # conforms to second version of ipsec.conf specification</span><br style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);"><br style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);"><span style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);"># basic configuration</span><br style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);"><span style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);">config setup</span><br style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);"><span style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);"># Debug-logging controls: "none" for (almost) none, "all" for lots.</span><br style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);"><span style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);"># klipsdebug=none</span><br style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);"><span style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);"># plutodebug="control parsing"</span><br style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);"><span style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);">conn %default</span><br style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);"><span style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);"> keyingtries=0</span><br style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);"><span style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);"> # disablearrivalcheck=no</span><br style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);"><span style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);"> authby=rsasig</span><br style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);"><span style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);"> # leftrsasigkey=%dns</span><br style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);"><span style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);"> # rightrsasigkey=%dns</span><br style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);"><br style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);"><span style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);">conn test</span><br style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);"><span style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);"> auto=start</span><br style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);"><span style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);"> left=172.30.0.3</span><br> leftsubnet=10.0.0.1/24<br style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);"><span style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);"> right=172.30.0.10<br> rightsubnet=172.30.1.0/24<br style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);"></span><span style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);">
keyexchange=ike</span><br style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);"><span style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);"> esp=3des-sha1-96</span><br style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);"><span style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);"> keyingtries=0</span><br style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);"><span style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);"> rekeymargin=4m</span><br style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);"><span style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);"> type=transport</span><br style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);"><span style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);">
disablearrivalcheck=no</span><br style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);"><span style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);"> authby=secret</span><br style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);"><span style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);"> pfs=yes</span><br><br><b>include=/etc/ipsec.d/*.conf</b><br><br>And under the folder /etc/ipsec.d/ - you can create multiple conf files with unique configuration.<br>ex:-<br>/etc/ipsec.d/aaa.conf<br><span style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);">conn aaa</span><br style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);">
<span style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);"> auto=start</span><br style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);">
<span style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);"> left=172.30.0.3</span><br> leftsubnet=10.1.0.0/24<br style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);">
<span style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);"> right=192.168.0.1<br> rightsubnet=172.31.0.0/24<br style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);"></span>
<span style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);">
keyexchange=ike</span><br style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);">
<span style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);"> esp=aes256-sha1</span><br style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);">
<span style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);"> keyingtries=0</span><br style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);">
<span style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);"> rekeymargin=4m</span><br style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);">
<span style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);"> type=transport</span><br style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);">
<span style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);">
disablearrivalcheck=no</span><br style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);">
<span style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);"> authby=secret</span><br style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);">
<span style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);"> pfs=yes</span><br><br><br><br><span style="font-family: Tahoma,Helvetica,Sans-Serif; font-style: italic; font-weight: bold;">-<span style="font-family: Times New Roman,Times,Serif;"> Simon Charles - </span></span><br><br><br><br><br>> Date: Mon, 23 Feb 2009 19:28:47 +0530<br>> To: users@openswan.org<br>> From: ssmurthy.nittala@freescale.com<br>> Subject: [Openswan Users] Multiple IKE destinations in config file<br>> <br>> Hi,<br>> In ipsec.conf configuration file we can specify the Gateway addresses <br>> using the keywords left and right.But how do we configure multiple <br>> gateway addresses ie..how can we configure multiple IKE records to <br>> connect simultaneously to different destination gateways?<br>> Thanks in advance<br>> -nsmurthy<br>> <br>> <br>> _______________________________________________<br>> Users@openswan.org<br>> http://lists.openswan.org/mailman/listinfo/users<br>> Building and Integrating Virtual Private Networks with Openswan: <br>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155<br></body>
</html>