VERSION|0.4.7.1|SUBJECT|Linux kernel 2.6 IPSEC: single tunnel for multiple remote networks|CONTENT|My workplace has a Fortinet IPSEC VPN, which I connect to from my Linux server.  There are multiple subnets at work, like 192.168.0.0/21 and 10.2.2.0/24, and this was causing problems.

Everything was working great, except I could only connect to computers on one subnet at a time.  If I connected to a computer on the other subnet, the first subnet would stop working, and I would have to restart racoon to make it work again (actually I just had to reset my SAD entries, with setkey -F, and let it re-associate).

To make a long story short, the problem was that Fortinet cannot handle multiple tunnels like that.  If you establish a second tunnel, it uses the keys negotiated in that tunnel from then on.  It doesn&#039;t use the first tunnel.  [url=http://sourceforge.net/mailarchive/forum.php?thread_name=cd8179400706231425m2fe5d33fp301161a50c210a1%40mail.gmail.com&amp;forum_name=ipsec-tools-devel new=true]This post[/url] explains it a little better.

Well I never wanted two tunnels in the first place.  I only want one tunnel even though there are multiple subnets on the remote side.  To fix it, I simply had to use [b][code]require[/code][/b] instead of [b][code]unique[/code][/b] on my SPD entries!

I&#039;m using Debian&#039;s racoon-tool to create my spd entries (and racoon.conf).  With racoon-tool, you simply have to add the [b][code]level: require[/code][/b] option to each of your connections in your racoon-tool.conf.
[html]&lt;hr&gt;[/html]
BTW, my tunnel looks like this:
a.b.c.d/32 =&gt; a.b.c.d =&gt; x.y.z.w =&gt; 192.168.0.0/21

not like this:
192.168.8.0/24 =&gt; a.b.c.d =&gt; x.y.z.w =&gt; 192.168.0.0/21

Since my Linux server performs NAT (MASQUERADE) in iptables, I only need the tunnel to go to my server, not to my whole LAN subnet.  Somehow it is smart enough to do NAT and then encrypted on the way out, and decrypt then un-NAT on the way in, or something like that.  BTW, it&#039;s so smart that even when I was having problems with two tunnels from my server, the computers inside my LAN could connect to both remote subnets with no problem!  I believe this is due to a special MASQ table that can dynamically associate SPI values.  [url=http://tldp.org/HOWTO/VPN-Masquerade-HOWTO-6.html new=true]This page[/url] explained it well for me.|CATEGORIES|1,3|DATE|1182636460