Multiple IPSec tunnels

Link King king at
Wed Jul 30 22:44:15 BST 2003

I've been working on trying to get a routeable solution for multiple IPSec
tunnels terminating on a FreeBSD box.  The other end of the tunnels will
be Cisco routers.  I've had little trouble setting up point to point
tunnels but am having some difficulty figuring out how to route over
multiple tunnels to the same destination IP prefix.  Simplified setup goes
as follows (forgive my bad ASCII art):

                      __ ciscoA __
                     /             \ (server)        (destination)

                     \__ ciscoB __/

The idea is to run BGP from ciscoA and B to the freebsd server.  If one
connection should go down the server would have another route to through the other router.

Now, the problem I am having when setting up IPSec is that you specify
source and destination networks to encrypt.  However, the source and
destination settings for both tunnels are the same in this case.  How do
you differentiate between the two?

My thought was that I could add GRE (or IPIP) and use the GRE tunnel
endpoint (on the Cisco) as the destination network to differentiate
between tunnels.  However, successful implementation has escaped me so

Does anyone have an IPSec setup to multiple endpoints using some sort of
routing protocol to distribute and receive the same prefixes across each

Link King
king at

More information about the Ukfreebsd mailing list