Very Computer

> I am trying to set up my OpenBSD 2.9-stable to handle two separate
> net-to-net vpn tunnels. Example: OpenBSD box currently has one
> net-to-net VPN set up with a remote cisco pix firewall that works
> fine. Now I need to add another net-to-net VPN between OpenBSD and
> different location. I do not want the two remote locations to
> communicate with each other, I just want to have my local network to
> be able to communicate with either of the two remote sites.
> I am having a hard time finding documentation as far as configuring
> isakmpd for this. Maybe it is so simple that no one thought to add it
> and I just am dense or maybe it is something isn't done usually or at
> all; this is possible isn't it?

> > I am trying to set up my OpenBSD 2.9-stable to handle two separate
> > net-to-net vpn tunnels. Example: OpenBSD box currently has one
> > net-to-net VPN set up with a remote cisco pix firewall that works
> > fine. Now I need to add another net-to-net VPN between OpenBSD and
> > different location. I do not want the two remote locations to
> > communicate with each other, I just want to have my local network to
> > be able to communicate with either of the two remote sites.

> > I am having a hard time finding documentation as far as configuring
> > isakmpd for this. Maybe it is so simple that no one thought to add it
> > and I just am dense or maybe it is something isn't done usually or at
> > all; this is possible isn't it?

> would :
> /usr/share/ipsec/isakmpd/VPN-3way-template.conf

> be of value ?

>That helps a ton! What about the policy file? I am thinking of the
>VPN-XXX to VPN-YYY uses passphrase of 'password' in isakmpd.conf
>VPN-XXX to VPN-ZZZ uses passphrase of 'mekmitasdigoat' in isakmpd.conf

>>That helps a ton! What about the policy file? I am thinking of the
>>VPN-XXX to VPN-YYY uses passphrase of 'password' in isakmpd.conf
>>VPN-XXX to VPN-ZZZ uses passphrase of 'mekmitasdigoat' in isakmpd.conf
> Use something like this:
> | Authorizer: "subpolicy0"
> | Comment: subpolicy for VPN-Peer YYY
> | Licensees: "passphrase:password"
> | Conditions: esp_present == "yes" -> "true";
> |
> | Authorizer: "subpolicy1"
> | Comment: subpolicy for VPN-Peer YYY
> | Licensees: "passphrase:password"
> | Conditions: esp_present == "yes" -> "true";
> |
> | Authorizer: "POLICY"
> | Comment: this policy may be divided in several subpolicies
> | Licensees: "subpolicy0 || subpolicy1"
> | Conditions: app_domain == "IPsec policy" -> "true";
> It's in the keynote(5) manpage, I think. But I admit, it took me a while
> to find out as well. Do all 3 peers have fixed ip addresses? Dynamic
> IPs on the peers makes things even more interesting...