<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=WordSection1>
<p class=MsoNormal>Something unhealthy is going on with configs that have
multiple tunnels connecting the same sites. <o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>I know I always end up posting the weird problems and here’s
another one. I have a customer with 2 sites, called HQ and colo. HQ
is on the right, colo on the left. The HQ site has 2 LANS – 175.10/16
and 175.7/16. The colo site also has 2 LANS, 175.8/16 and 175.9/16.
I supernetted the tunnels at the colo site to 175.8/15 as a
troubleshooting step and also a way to reduce the number of tunnels from 4 to 2.
I know this setup is a little off the beaten path, but this customer needs
multiple tunnels connecting the same sites to make their storage replication
work properly. <o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>Every once-in-a-while, one or more of these tunnels decides
to go out to lunch. This is usually when there’s a telcom
interruption. IPSEC is supposed to hook both sites back up after the
telecom comes back online, but this doesn’t always work here. The
only solution is to manually restart ipsec on one side or the other. <o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>So this morning, I had an outage and sure enough, half the
tunnels weren’t answering. So I tried service ipsec restart at the
HQ site and . . . it hung. Yup, it hung. I would love
to prove that it hung, but the putty output is already scrolled off the top of
the window. But I was there, I saw it with my own eyes, it
hung. Trust me, it hung. <o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>Fwiw, I’ve seen this hang before with multiple
tunnels. It’s been going on for years in one form or another and I’ve
posted references to it in this forum. <o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>After pressing Ctrl/C, I tried sh –v /etc/rc.d/init.d/ipsec
restart - this worked properly and now everyone can see everyone
else. <o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>When the problem is happening, I see lots of messages coming
into /var/log/secure. Here is a sample:<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>[root@stylmark-fw1 ipsec.d]# more greg2.txt<o:p></o:p></p>
<p class=MsoNormal>Jul 14 08:00:00 localhost pluto[23465]: initiate on demand
from 175.10.0.1:8 to 175.9.1.35:0 proto=1 state: fos_start be<o:p></o:p></p>
<p class=MsoNormal>cause: acquire<o:p></o:p></p>
<p class=MsoNormal>Jul 14 08:00:00 localhost pluto[23465]:
"colo-hqmain" #212624: initiating Quick Mode
RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEv2A<o:p></o:p></p>
<p class=MsoNormal>LLOW {using isakmp#212615 msgid:d98e9c48 proposal=defaults
pfsgroup=OAKLEY_GROUP_MODP2048}<o:p></o:p></p>
<p class=MsoNormal>Jul 14 08:00:00 localhost pluto[23465]:
"colo-hqmain" #212624: transition from state STATE_QUICK_I1 to state
STATE_QUICK<o:p></o:p></p>
<p class=MsoNormal>_I2<o:p></o:p></p>
<p class=MsoNormal>Jul 14 08:00:00 localhost pluto[23465]:
"colo-hqmain" #212624: STATE_QUICK_I2: sent QI2, IPsec SA established
tunnel mod<o:p></o:p></p>
<p class=MsoNormal>e {ESP=>0x86d6e4be <0x68544fa4 xfrm=AES_128-HMAC_SHA1
NATOA=none NATD=none DPD=none}<o:p></o:p></p>
<p class=MsoNormal>Jul 14 08:00:03 localhost pluto[23465]: initiate on demand
from 175.10.0.1:8 to 175.8.1.101:0 proto=1 state: fos_start b<o:p></o:p></p>
<p class=MsoNormal>ecause: acquire<o:p></o:p></p>
<p class=MsoNormal>Jul 14 08:00:03 localhost pluto[23465]:
"colo-hqmain" #212625: initiating Quick Mode
RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEv2A<o:p></o:p></p>
<p class=MsoNormal>LLOW {using isakmp#212615 msgid:d31345ba proposal=defaults
pfsgroup=OAKLEY_GROUP_MODP2048}<o:p></o:p></p>
<p class=MsoNormal>Jul 14 08:00:03 localhost pluto[23465]:
"colo-hqmain" #212625: transition from state STATE_QUICK_I1 to state
STATE_QUICK<o:p></o:p></p>
<p class=MsoNormal>_I2<o:p></o:p></p>
<p class=MsoNormal>Jul 14 08:00:03 localhost pluto[23465]:
"colo-hqmain" #212625: STATE_QUICK_I2: sent QI2, IPsec SA established
tunnel mod<o:p></o:p></p>
<p class=MsoNormal>e {ESP=>0xb35a6fc7 <0xac2386d4 xfrm=AES_128-HMAC_SHA1
NATOA=none NATD=none DPD=none}<o:p></o:p></p>
<p class=MsoNormal>Jul 14 08:00:09 localhost pluto[23465]: initiate on demand
from 175.10.0.35:8 to 175.9.1.35:0 proto=1 state: fos_start b<o:p></o:p></p>
<p class=MsoNormal>ecause: acquire<o:p></o:p></p>
<p class=MsoNormal>Jul 14 08:00:09 localhost pluto[23465]:
"colo-hqmain" #212626: initiating Quick Mode
RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEv2A<o:p></o:p></p>
<p class=MsoNormal>LLOW {using isakmp#212615 msgid:b005937f proposal=defaults
pfsgroup=OAKLEY_GROUP_MODP2048}<o:p></o:p></p>
<p class=MsoNormal>Jul 14 08:00:09 localhost pluto[23465]:
"colo-hqmain" #212626: transition from state STATE_QUICK_I1 to state
STATE_QUICK<o:p></o:p></p>
<p class=MsoNormal>_I2<o:p></o:p></p>
<p class=MsoNormal>Jul 14 08:00:09 localhost pluto[23465]:
"colo-hqmain" #212626: STATE_QUICK_I2: sent QI2, IPsec SA established
tunnel mod<o:p></o:p></p>
<p class=MsoNormal>e {ESP=>0x364780e1 <0x58c0d1e0 xfrm=AES_128-HMAC_SHA1
NATOA=none NATD=none DPD=none}<o:p></o:p></p>
<p class=MsoNormal>Jul 14 08:00:28 localhost pluto[23465]:
"colo-hqmain" #212615: received Delete SA(0x7c705344) payload:
deleting IPSEC St<o:p></o:p></p>
<p class=MsoNormal>ate #209204<o:p></o:p></p>
<p class=MsoNormal>Jul 14 08:00:28 localhost pluto[23465]:
"colo-hqmain" #212615: received and ignored informational message<o:p></o:p></p>
<p class=MsoNormal>Jul 14 08:00:31 localhost pluto[23465]:
"colo-hqmain" #212615: ignoring Delete SA payload: PROTO_IPSEC_ESP
SA(0x8b2781f0<o:p></o:p></p>
<p class=MsoNormal>) not found (maybe expired)<o:p></o:p></p>
<p class=MsoNormal>Jul 14 08:00:31 localhost pluto[23465]:
"colo-hqmain" #212615: received and ignored informational message<o:p></o:p></p>
<p class=MsoNormal>Jul 14 08:00:34 localhost pluto[23465]:
"colo-hqmain" #212615: received Delete SA(0xf8a2d8fb) payload:
deleting IPSEC St<o:p></o:p></p>
<p class=MsoNormal>ate #209206<o:p></o:p></p>
<p class=MsoNormal>Jul 14 08:00:34 localhost pluto[23465]:
"colo-hqmain" #212615: received and ignored informational message<o:p></o:p></p>
<p class=MsoNormal>Jul 14 08:00:37 localhost pluto[23465]:
"colo-hqmain" #212615: received Delete SA(0x14029340) payload:
deleting IPSEC St<o:p></o:p></p>
<p class=MsoNormal>ate #209207<o:p></o:p></p>
<p class=MsoNormal>Jul 14 08:00:37 localhost pluto[23465]:
"colo-hqmain" #212615: received and ignored informational message<o:p></o:p></p>
<p class=MsoNormal>Jul 14 08:00:38 localhost pluto[23465]: initiate on demand
from 175.10.0.1:8 to 175.9.1.1:0 proto=1 state: fos_start bec<o:p></o:p></p>
<p class=MsoNormal>ause: acquire<o:p></o:p></p>
<p class=MsoNormal>Jul 14 08:00:38 localhost pluto[23465]:
"colo-hqmain" #212627: initiating Quick Mode
RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEv2A<o:p></o:p></p>
<p class=MsoNormal>LLOW {using isakmp#212615 msgid:3e7351ff proposal=defaults
pfsgroup=OAKLEY_GROUP_MODP2048}<o:p></o:p></p>
<p class=MsoNormal>Jul 14 08:00:39 localhost pluto[23465]:
"colo-hqmain" #212627: transition from state STATE_QUICK_I1 to state
STATE_QUICK<o:p></o:p></p>
<p class=MsoNormal>_I2<o:p></o:p></p>
<p class=MsoNormal>Jul 14 08:00:39 localhost pluto[23465]:
"colo-hqmain" #212627: STATE_QUICK_I2: sent QI2, IPsec SA established
tunnel mod<o:p></o:p></p>
<p class=MsoNormal>e {ESP=>0x19427699 <0x043fa1d4 xfrm=AES_128-HMAC_SHA1
NATOA=none NATD=none DPD=none}<o:p></o:p></p>
<p class=MsoNormal>Jul 14 08:00:41 localhost pluto[23465]: initiate on demand
from 175.10.0.1:8 to 175.8.1.254:0 proto=1 state: fos_start b<o:p></o:p></p>
<p class=MsoNormal>ecause: acquire<o:p></o:p></p>
<p class=MsoNormal>--More--(0%)<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>And here is a sample from /var/log/secure when things are
working properly – I dummied up references to public IP Addresses:<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>[root@stylmark-fw1 ipsec.d]# tail /var/log/secure -f<o:p></o:p></p>
<p class=MsoNormal>Jul 14 10:33:34 localhost pluto[3993]:
"colo-hqmain" #1: the peer proposed: 175.10.0.0/16:0/0 ->
175.8.0.0/15:0/0<o:p></o:p></p>
<p class=MsoNormal>Jul 14 10:33:34 localhost pluto[3993]:
"colo-hqmain" #31: responding to Quick Mode proposal {msgid:6a8b3c68}<o:p></o:p></p>
<p class=MsoNormal>Jul 14 10:33:34 localhost pluto[3993]:
"colo-hqmain" #31: us: 175.10.0.0/16===1.2.42.85<1.2.42.85>[@hqmain,+S=C]---1.2.42.86<o:p></o:p></p>
<p class=MsoNormal>Jul 14 10:33:34 localhost pluto[3993]:
"colo-hqmain" #31: them: 3.4.64.174---3.4.64.169<3.4.64.169>[@colo,+S=C]===175.8.0.0/15<o:p></o:p></p>
<p class=MsoNormal>Jul 14 10:33:34 localhost pluto[3993]: | NAT-OA: 0 tunnel: 0<o:p></o:p></p>
<p class=MsoNormal>Jul 14 10:33:34 localhost pluto[3993]:
"colo-hqmain" #31: keeping refhim=4294901761 during rekey<o:p></o:p></p>
<p class=MsoNormal>Jul 14 10:33:34 localhost pluto[3993]:
"colo-hqmain" #31: transition from state STATE_QUICK_R0 to state
STATE_QUICK_R1<o:p></o:p></p>
<p class=MsoNormal>Jul 14 10:33:34 localhost pluto[3993]: "colo-hqmain"
#31: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2<o:p></o:p></p>
<p class=MsoNormal>Jul 14 10:33:34 localhost pluto[3993]:
"colo-hqmain" #31: transition from state STATE_QUICK_R1 to state
STATE_QUICK_R2<o:p></o:p></p>
<p class=MsoNormal>Jul 14 10:33:34 localhost pluto[3993]: "colo-hqmain"
#31: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0x8fd8f76b
<0xaf448d32 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=none}<o:p></o:p></p>
<p class=MsoNormal>Jul 14 10:35:34 localhost pluto[3993]:
"colo-hqmain" #1: the peer proposed: 175.10.0.0/16:0/0 ->
175.8.0.0/15:0/0<o:p></o:p></p>
<p class=MsoNormal>Jul 14 10:35:34 localhost pluto[3993]:
"colo-hqmain" #32: responding to Quick Mode proposal {msgid:bcf600d5}<o:p></o:p></p>
<p class=MsoNormal>Jul 14 10:35:34 localhost pluto[3993]:
"colo-hqmain" #32: us: 175.10.0.0/16===1.2.42.85<1.2.42.85>[@hqmain,+S=C]---1.2.42.86<o:p></o:p></p>
<p class=MsoNormal>Jul 14 10:35:34 localhost pluto[3993]:
"colo-hqmain" #32: them: 3.4.64.174---3.4.64.169<3.4.64.169>[@colo,+S=C]===175.8.0.0/15<o:p></o:p></p>
<p class=MsoNormal>Jul 14 10:35:34 localhost pluto[3993]: | NAT-OA: 0 tunnel: 0<o:p></o:p></p>
<p class=MsoNormal>Jul 14 10:35:34 localhost pluto[3993]:
"colo-hqmain" #32: keeping refhim=4294901761 during rekey<o:p></o:p></p>
<p class=MsoNormal>Jul 14 10:35:34 localhost pluto[3993]:
"colo-hqmain" #32: transition from state STATE_QUICK_R0 to state
STATE_QUICK_R1<o:p></o:p></p>
<p class=MsoNormal>Jul 14 10:35:34 localhost pluto[3993]:
"colo-hqmain" #32: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed,
expecting QI2<o:p></o:p></p>
<p class=MsoNormal>Jul 14 10:35:34 localhost pluto[3993]:
"colo-hqmain" #32: transition from state STATE_QUICK_R1 to state
STATE_QUICK_R2<o:p></o:p></p>
<p class=MsoNormal>Jul 14 10:35:34 localhost pluto[3993]:
"colo-hqmain" #32: STATE_QUICK_R2: IPsec SA established tunnel mode
{ESP=>0x0c7f39bf <0x2e95afcb xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none
DPD=none}<o:p></o:p></p>
<p class=MsoNormal>Jul 14 10:35:47 localhost pluto[3993]:
"colo-hqmain" #1: the peer proposed: 175.10.0.0/16:0/0 ->
175.8.0.0/15:0/0<o:p></o:p></p>
<p class=MsoNormal>Jul 14 10:35:47 localhost pluto[3993]:
"colo-hqmain" #33: responding to Quick Mode proposal {msgid:521ce545}<o:p></o:p></p>
<p class=MsoNormal>Jul 14 10:35:47 localhost pluto[3993]:
"colo-hqmain" #33: us: 175.10.0.0/16===1.2.42.85<1.2.42.85>[@hqmain,+S=C]---1.2.42.86<o:p></o:p></p>
<p class=MsoNormal>Jul 14 10:35:47 localhost pluto[3993]:
"colo-hqmain" #33: them: 3.4.64.174---3.4.64.169<3.4.64.169>[@colo,+S=C]===175.8.0.0/15<o:p></o:p></p>
<p class=MsoNormal>Jul 14 10:35:47 localhost pluto[3993]: | NAT-OA: 0 tunnel: 0<o:p></o:p></p>
<p class=MsoNormal>Jul 14 10:35:47 localhost pluto[3993]:
"colo-hqmain" #33: keeping refhim=4294901761 during rekey<o:p></o:p></p>
<p class=MsoNormal>Jul 14 10:35:47 localhost pluto[3993]:
"colo-hqmain" #33: transition from state STATE_QUICK_R0 to state
STATE_QUICK_R1<o:p></o:p></p>
<p class=MsoNormal>Jul 14 10:35:47 localhost pluto[3993]:
"colo-hqmain" #33: STATE_QUICK_R1: sent QR1, inbound IPsec SA
installed, expecting QI2<o:p></o:p></p>
<p class=MsoNormal>Jul 14 10:35:47 localhost pluto[3993]: "colo-hqmain"
#33: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2<o:p></o:p></p>
<p class=MsoNormal>Jul 14 10:35:47 localhost pluto[3993]:
"colo-hqmain" #33: STATE_QUICK_R2: IPsec SA established tunnel mode
{ESP=>0xc0136c4b <0x32bf7674 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none
DPD=none}<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>This is the version of Openswan running at the HQ site:<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>[root@stylmark-fw1 firewall-scripts]# ipsec version<o:p></o:p></p>
<p class=MsoNormal>Linux Openswan U2.6.25/K2.6.32.12-115.fc12.i686.PAE (netkey)<o:p></o:p></p>
<p class=MsoNormal>See `ipsec --copyright' for copyright information.<o:p></o:p></p>
<p class=MsoNormal>[root@stylmark-fw1 firewall-scripts]#<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>And this is the version running at the colo site:<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>[root@colo-fw firewall-scripts]# ipsec version<o:p></o:p></p>
<p class=MsoNormal>Linux Openswan U2.6.25/K2.6.17.2fw21 (netkey)<o:p></o:p></p>
<p class=MsoNormal>See `ipsec --copyright' for copyright information.<o:p></o:p></p>
<p class=MsoNormal>[root@colo-fw firewall-scripts]#<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>As you can see, the colo site has an older kernel but a new
version of Openswan. <o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>Here are the conn definitions. First, colo-ipsec.conf
at the colo site. Note the commented out additional tunnels at the bottom.
I supernetted the conn definitions at the colo site as a troubleshooting step:<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>conn colo-hqmain<o:p></o:p></p>
<p class=MsoNormal> type=tunnel<o:p></o:p></p>
<p class=MsoNormal> #<o:p></o:p></p>
<p class=MsoNormal> # Left security
gateway, subnet behind it, next hop toward left.<o:p></o:p></p>
<p class=MsoNormal> #<o:p></o:p></p>
<p class=MsoNormal> also=colo<o:p></o:p></p>
<p class=MsoNormal> #<o:p></o:p></p>
<p class=MsoNormal> # Right security
gateway, subnet behind it, next hop toward left.<o:p></o:p></p>
<p class=MsoNormal> #<o:p></o:p></p>
<p class=MsoNormal> also=hqmain<o:p></o:p></p>
<p class=MsoNormal> auto=start<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>conn colo-hqmirror<o:p></o:p></p>
<p class=MsoNormal> type=tunnel<o:p></o:p></p>
<p class=MsoNormal> #<o:p></o:p></p>
<p class=MsoNormal> # Left security
gateway, subnet behind it, next hop toward left.<o:p></o:p></p>
<p class=MsoNormal> #<o:p></o:p></p>
<p class=MsoNormal> also=colo<o:p></o:p></p>
<p class=MsoNormal> #<o:p></o:p></p>
<p class=MsoNormal> # Right security
gateway, subnet behind it, next hop toward left.<o:p></o:p></p>
<p class=MsoNormal> #<o:p></o:p></p>
<p class=MsoNormal> also=hqmirror<o:p></o:p></p>
<p class=MsoNormal> auto=start<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>##conn colomirror-hqmirror<o:p></o:p></p>
<p class=MsoNormal>## type=tunnel<o:p></o:p></p>
<p class=MsoNormal>## #<o:p></o:p></p>
<p class=MsoNormal>## # Left security gateway,
subnet behind it, next hop toward left.<o:p></o:p></p>
<p class=MsoNormal>## #<o:p></o:p></p>
<p class=MsoNormal>## also=colomirror<o:p></o:p></p>
<p class=MsoNormal>## #<o:p></o:p></p>
<p class=MsoNormal>## # Right security gateway,
subnet behind it, next hop toward left.<o:p></o:p></p>
<p class=MsoNormal>## #<o:p></o:p></p>
<p class=MsoNormal>## also=hqmirror<o:p></o:p></p>
<p class=MsoNormal>## auto=start<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>##conn colomirror-hqmain<o:p></o:p></p>
<p class=MsoNormal>## type=tunnel<o:p></o:p></p>
<p class=MsoNormal>## #<o:p></o:p></p>
<p class=MsoNormal>## # Left security gateway,
subnet behind it, next hop toward left.<o:p></o:p></p>
<p class=MsoNormal>## #<o:p></o:p></p>
<p class=MsoNormal>## also=colomirror<o:p></o:p></p>
<p class=MsoNormal>## #<o:p></o:p></p>
<p class=MsoNormal>## # Right security gateway,
subnet behind it, next hop toward left.<o:p></o:p></p>
<p class=MsoNormal>## #<o:p></o:p></p>
<p class=MsoNormal>## also=hqmain<o:p></o:p></p>
<p class=MsoNormal>## auto=start<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>include /etc/ipsec.d/sites.conf<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>Next are the conn definitions from hq-ipsec.conf:<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>conn colo-hqmain<o:p></o:p></p>
<p class=MsoNormal> type=tunnel<o:p></o:p></p>
<p class=MsoNormal> #<o:p></o:p></p>
<p class=MsoNormal> # Left security
gateway, subnet behind it, next hop toward left.<o:p></o:p></p>
<p class=MsoNormal> #<o:p></o:p></p>
<p class=MsoNormal> also=colo<o:p></o:p></p>
<p class=MsoNormal> #<o:p></o:p></p>
<p class=MsoNormal> # Right security
gateway, subnet behind it, next hop toward left.<o:p></o:p></p>
<p class=MsoNormal> #<o:p></o:p></p>
<p class=MsoNormal> also=hqmain<o:p></o:p></p>
<p class=MsoNormal> auto=start<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>conn colo-hqmirror<o:p></o:p></p>
<p class=MsoNormal> type=tunnel<o:p></o:p></p>
<p class=MsoNormal> #<o:p></o:p></p>
<p class=MsoNormal> # Left security
gateway, subnet behind it, next hop toward left.<o:p></o:p></p>
<p class=MsoNormal> #<o:p></o:p></p>
<p class=MsoNormal> also=colo<o:p></o:p></p>
<p class=MsoNormal> #<o:p></o:p></p>
<p class=MsoNormal> # Right security
gateway, subnet behind it, next hop toward left.<o:p></o:p></p>
<p class=MsoNormal> #<o:p></o:p></p>
<p class=MsoNormal> also=hqmirror<o:p></o:p></p>
<p class=MsoNormal> auto=start<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>##conn colomirror-hqmirror<o:p></o:p></p>
<p class=MsoNormal>## type=tunnel<o:p></o:p></p>
<p class=MsoNormal>## #<o:p></o:p></p>
<p class=MsoNormal>## # Left security gateway,
subnet behind it, next hop toward left.<o:p></o:p></p>
<p class=MsoNormal>## #<o:p></o:p></p>
<p class=MsoNormal>## also=colomirror<o:p></o:p></p>
<p class=MsoNormal>## #<o:p></o:p></p>
<p class=MsoNormal>## # Right security gateway,
subnet behind it, next hop toward left.<o:p></o:p></p>
<p class=MsoNormal>## #<o:p></o:p></p>
<p class=MsoNormal>## also=hqmirror<o:p></o:p></p>
<p class=MsoNormal>## auto=start<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>##conn colomirror-hqmain<o:p></o:p></p>
<p class=MsoNormal>## type=tunnel<o:p></o:p></p>
<p class=MsoNormal>## #<o:p></o:p></p>
<p class=MsoNormal>## # Left security gateway,
subnet behind it, next hop toward left.<o:p></o:p></p>
<p class=MsoNormal>## #<o:p></o:p></p>
<p class=MsoNormal>## also=colomirror<o:p></o:p></p>
<p class=MsoNormal>## #<o:p></o:p></p>
<p class=MsoNormal>## # Right security gateway,
subnet behind it, next hop toward left.<o:p></o:p></p>
<p class=MsoNormal>## #<o:p></o:p></p>
<p class=MsoNormal>## also=hqmain<o:p></o:p></p>
<p class=MsoNormal>## auto=start<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>include /etc/ipsec.d/sites.conf<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>And finally, sites.conf, which contains the IP Addresses of
all sites. Each site has an identical copy of sites.conf. Public IP
Addresses are dummied up and RSA keys truncated.<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>conn hqmain<o:p></o:p></p>
<p class=MsoNormal> right=1.2.42.85<o:p></o:p></p>
<p class=MsoNormal>
rightsubnet=175.10.0.0/16<o:p></o:p></p>
<p class=MsoNormal> rightnexthop=1.2.42.86<o:p></o:p></p>
<p class=MsoNormal>
rightsourceip=175.10.0.1<o:p></o:p></p>
<p class=MsoNormal> rightid=@hqmain<o:p></o:p></p>
<p class=MsoNormal>
### rightupdown=/etc/ipsec.d/hq-updown.sh<o:p></o:p></p>
<p class=MsoNormal> # rsakey
AQOkh1tMU<o:p></o:p></p>
<p class=MsoNormal> rightrsasigkey=0sAQOkh…<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>conn hqmirror<o:p></o:p></p>
<p class=MsoNormal> right=1.2.42.85<o:p></o:p></p>
<p class=MsoNormal>
rightsubnet=175.7.0.0/16<o:p></o:p></p>
<p class=MsoNormal> rightnexthop=1.2.42.86<o:p></o:p></p>
<p class=MsoNormal>
rightsourceip=175.7.0.1<o:p></o:p></p>
<p class=MsoNormal> rightid=@hqmirror<o:p></o:p></p>
<p class=MsoNormal> # rsakey
AQOkh1tMU<o:p></o:p></p>
<p class=MsoNormal>
rightrsasigkey=0sAQOkh1t…<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>conn colo<o:p></o:p></p>
<p class=MsoNormal> left=3.4.64.169<o:p></o:p></p>
<p class=MsoNormal>
leftsubnet=175.8.0.0/15<o:p></o:p></p>
<p class=MsoNormal> leftnexthop=3.4.64.174<o:p></o:p></p>
<p class=MsoNormal>
leftsourceip=175.9.1.1<o:p></o:p></p>
<p class=MsoNormal> leftid=@colo<o:p></o:p></p>
<p class=MsoNormal> # RSA 2192
bits colo-fw Wed Nov 29 19:08:25 2006<o:p></o:p></p>
<p class=MsoNormal>
leftrsasigkey=0sAQOSwRcj…<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>##conn colomirror<o:p></o:p></p>
<p class=MsoNormal>## left=3.4.64.169<o:p></o:p></p>
<p class=MsoNormal>## leftsubnet=175.8.0.0/16<o:p></o:p></p>
<p class=MsoNormal>## leftnexthop=3.4.64.174<o:p></o:p></p>
<p class=MsoNormal>## ##leftid=@colomirror<o:p></o:p></p>
<p class=MsoNormal>## # RSA 2192 bits
colo-fw Wed Nov 29 19:08:25 2006<o:p></o:p></p>
<p class=MsoNormal>## leftrsasigkey=0sAQOSwR…<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
</div>
</body>
</html>