Problem with Racoon/IPSec/Setkey - Routing to/from multiple n etwo rks

[Helge Oldach]

Jamie Heckford:
>Helge Oldach wrote:
>> Jamie Heckford:
>>> /usr/sbin/setkey -c << EOF
>>> flush;
>>> spdflush;
>>> spdadd ${LOCAL_NETWORK} ${STJUST_NETWORK} any -P out ipsec
>>> esp/tunnel/${LOCAL_OUTSIDE}-${STJUST_OUTSIDE}/require;
>>> spdadd ${STJUST_NETWORK} ${LOCAL_NETWORK} any -P in  ipsec
>>> esp/tunnel/${STJUST_OUTSIDE}-${LOCAL_OUTSIDE}/require;
>>> spdadd ${ALLNET_1} ${STJUST_NETWORK} any -P out ipsec
>>> esp/tunnel/${LOCAL_OUTSIDE}-${STJUST_OUTSIDE}/require;
>>> spdadd ${STJUST_NETWORK} ${ALLNET_1} any -P in  ipsec
>>> esp/tunnel/${STJUST_OUTSIDE}-${LOCAL_OUTSIDE}/require;
>>> spdadd ${LOCAL_NETWORK} ${BENELUX_NETWORK} any -P out ipsec
>>> esp/tunnel/${LOCAL_OUTSIDE}-${BENELUX_OUTSIDE}/require;
>>> spdadd ${BENELUX_NETWORK} ${LOCAL_NETWORK} any -P in ipsec
>>> esp/tunnel/${BENELUX_OUTSIDE}-${LOCAL_OUTSIDE}/require;
>>> spdadd ${ALLNET_1} ${BENELUX_NETWORK} any -P out ipsec
>>> esp/tunnel/${LOCAL_OUTSIDE}-${BENELUX_OUTSIDE}/require;
>>> spdadd ${BENELUX_NETWORK} ${ALLNET_1} any -P in ipsec
>>> esp/tunnel/${BENELUX_OUTSIDE}-${LOCAL_OUTSIDE}/require;
>>> EOF
>> 
>> Try using "unique" instead of "require".
>> 
>> Helge
>
>Thanks a lot Helge, this worked fine :)
>
>What does unique do instead of require..? 

Frankly, I never understood this in detail. "unique" appears to tie
together the SA and the policy and appears to ensure that the correct SA
is being used for a policy. But then I don't see what "require" would be
useful for at all, as the "unique" behaviour is what one usually wants
to achieve when using IKE (racoon).

Actually this question pops up every now and then, with always the same
answer. :-) For example, if you're talking against a Cisco VPN gateway,
you *must* use unique, otherwise it won't work at all.

Maybe somebody else can shed some light into the matter?

Helge