<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.6000.16608" name=GENERATOR></HEAD>
<BODY>
<DIV dir=ltr align=left><SPAN class=470521819-14032008><FONT face=Arial
color=#0000ff size=2>I might be because your using the same cert for both
right's...</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=470521819-14032008><FONT face=Arial
color=#0000ff size=2>Each host should have it's own cert.</FONT></SPAN></DIV>
<DIV> </DIV>
<DIV align=left><FONT face=Arial size=2>Peter McGill</FONT></DIV>
<DIV> </DIV><BR>
<BLOCKQUOTE
style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px solid; MARGIN-RIGHT: 0px">
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> users-bounces@openswan.org
[mailto:users-bounces@openswan.org] <B>On Behalf Of </B>Jofre
Palau<BR><B>Sent:</B> March 14, 2008 3:07 PM<BR><B>To:</B>
users@openswan.org<BR><B>Subject:</B> [Openswan Users] Setting a second tunnel
stop the first one<BR></FONT><BR></DIV>
<DIV></DIV>Hi,<BR>I have the following configuration:<BR><BR>version
2.0 <BR>config
setup<BR>
klipsdebug=all<BR>
plutodebug=none<BR>
nat_traversal=no<BR>
interfaces=%defaultroute<BR><BR>conn
CONN1<BR> right=<A
href="http://domain1.net">domain1.net</A><BR>
rightsubnet=<A
href="http://11.22.33.44/32">11.22.33.44/32</A><BR>
rightnexthop=%defaultroute<BR>
#left=%defaultroute<BR> left=<A
href="http://192.168.0.21">192.168.0.21</A><BR>
leftid=@<A
href="http://domain3.net">domain3.net</A><BR>
authby=rsasig<BR>
ikelifetime=24h<BR> #Certificate
Information<BR>
rightcert="/etc/ipsec.d/certs/ap-it.crt.pem"<BR>
leftcert="/etc/ipsec.d/certs/ap-de.crt.pem"<BR>
auto=add<BR><BR>conn CONN2<BR>
right=<A
href="http://domain2.net">domain2.net</A><BR>
rightsubnet=<A
href="http://22.33.44.55/32">22.33.44.55/32</A><BR>
rightnexthop=%defaultroute<BR>
left=%defaultroute<BR> leftid=@<A
href="http://domain3.net">domain3.net</A><BR>
authby=rsasig<BR>
ikelifetime=24h<BR> #Certificate
Information<BR>
rightcert="/etc/ipsec.d/certs/ap-it.crt.pem"<BR>
leftcert="/etc/ipsec.d/certs/ap-de.crt.pem"<BR>
auto=add<BR><BR><BR>both connections work fine, if alone, but every time I
start one<BR>with ipsec auto --up CONN1 <BR>or ipsec auto --up
CONN2<BR><BR>the first one stops working<BR><BR>IŽd like to be able have both
up and running in parallel:<BR><BR><BR>Mar 14 19:52:11 ap-de pluto[21515]:
"CONN1" #1: initiating Main Mode<BR>Mar 14 19:52:11 ap-de pluto[21515]:
"CONN1" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2<BR>Mar
14 19:52:11 ap-de pluto[21515]: "CONN1" #1: STATE_MAIN_I2: sent MI2, expecting
MR2<BR>Mar 14 19:52:12 ap-de pluto[21515]: "CONN1" #1: ignoring unknown Vendor
ID payload [4683d866e51b99451c54656c646174]<BR>Mar 14 19:52:12 ap-de
pluto[21515]: "CONN1" #1: received Vendor ID payload [Cisco-Unity]<BR>Mar 14
19:52:12 ap-de pluto[21515]: "CONN1" #1: received Vendor ID payload
[XAUTH]<BR>Mar 14 19:52:12 ap-de pluto[21515]: "CONN1" #1: received Vendor ID
payload [Dead Peer Detection]<BR>Mar 14 19:52:12 ap-de pluto[21515]: "CONN1"
#1: I am sending my cert<BR>Mar 14 19:52:12 ap-de pluto[21515]: "CONN1" #1: I
am sending a certificate request<BR>Mar 14 19:52:12 ap-de pluto[21515]:
"CONN1" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3<BR>Mar
14 19:52:12 ap-de pluto[21515]: "CONN1" #1: STATE_MAIN_I3: sent MI3, expecting
MR3<BR>Mar 14 19:52:12 ap-de pluto[21515]: "CONN1" #1: Main mode peer ID is
ID_DER_ASN1_DN: 'abc'<BR>Mar 14 19:52:12 ap-de pluto[21515]: "CONN1" #1: no
crl from issuer "xyz" found (strict=no)<BR>Mar 14 19:52:12 ap-de pluto[21515]:
"CONN1" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4<BR>Mar
14 19:52:12 ap-de pluto[21515]: "CONN1" #1: STATE_MAIN_I4: ISAKMP SA
established {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_md5
group=modp1024}<BR>Mar 14 19:52:12 ap-de pluto[21515]: "CONN1" #2: initiating
Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}<BR>Mar 14 19:52:12
ap-de pluto[21515]: "CONN1" #1: ignoring informational payload, type
IPSEC_RESPONDER_LIFETIME<BR>Mar 14 19:52:12 ap-de pluto[21515]: "CONN1" #1:
received and ignored informational message<BR>Mar 14 19:52:12 ap-de
pluto[21515]: "CONN1" #2: ignoring informational payload, type
IPSEC_RESPONDER_LIFETIME<BR>Mar 14 19:52:12 ap-de pluto[21515]: "CONN1" #2:
transition from state STATE_QUICK_I1 to state STATE_QUICK_I2<BR>Mar 14
19:52:12 ap-de pluto[21515]: "CONN1" #2: STATE_QUICK_I2: sent QI2, IPsec SA
established {ESP=>0x3576fc2d <0xdc5bda95 xfrm=3DES_0-HMAC_MD5 NATD=none
DPD=none}<BR>Mar 14 19:52:13 ap-de pluto[21515]: "CONN1" #1: ignoring Delete
SA payload: PROTO_IPSEC_ESP SA(0x886bb9ed) not found (maybe expired)<BR>Mar 14
19:52:13 ap-de pluto[21515]: "CONN1" #1: received and ignored informational
message<BR><BR><here I start CONN2 ><BR><BR>Mar 14 19:52:52 ap-de
pluto[21515]: "CONN2" #3: initiating Main Mode<BR>Mar 14 19:52:52 ap-de
pluto[21515]: "CONN2" #3: transition from state STATE_MAIN_I1 to state
STATE_MAIN_I2<BR>Mar 14 19:52:52 ap-de pluto[21515]: "CONN2" #3:
STATE_MAIN_I2: sent MI2, expecting MR2<BR>Mar 14 19:52:52 ap-de pluto[21515]:
"CONN2" #3: ignoring unknown Vendor ID payload
[4d5debb3210ca0388954656c646174]<BR>Mar 14 19:52:52 ap-de pluto[21515]:
"CONN2" #3: received Vendor ID payload [Cisco-Unity]<BR>Mar 14 19:52:52 ap-de
pluto[21515]: "CONN2" #3: received Vendor ID payload [XAUTH]<BR>Mar 14
19:52:52 ap-de pluto[21515]: "CONN2" #3: received Vendor ID payload [Dead Peer
Detection]<BR>Mar 14 19:52:52 ap-de pluto[21515]: "CONN2" #3: I am sending my
cert<BR>Mar 14 19:52:52 ap-de pluto[21515]: "CONN2" #3: I am sending a
certificate request<BR>Mar 14 19:52:52 ap-de pluto[21515]: "CONN2" #3:
transition from state STATE_MAIN_I2 to state STATE_MAIN_I3<BR>Mar 14 19:52:52
ap-de pluto[21515]: "CONN2" #3: STATE_MAIN_I3: sent MI3, expecting MR3<BR>Mar
14 19:52:53 ap-de pluto[21515]: "CONN2" #3: Main mode peer ID is
ID_DER_ASN1_DN: 'abc'<BR>Mar 14 19:52:53 ap-de pluto[21515]: "CONN2" #3: no
crl from issuer "xyz" found (strict=no)<BR><BR>Mar 14 19:52:53 ap-de
pluto[21515]: "CONN1" #2: deleting state (STATE_QUICK_I2)<BR>Mar 14 19:52:53
ap-de pluto[21515]: "CONN1" #1: deleting state (STATE_MAIN_I4)<BR><BR><
here CONN1 stops working ><BR><BR>Mar 14 19:52:53 ap-de pluto[21515]:
"CONN2" #3: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4<BR>Mar
14 19:52:53 ap-de pluto[21515]: "CONN2" #3: STATE_MAIN_I4: ISAKMP SA
established {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_md5
group=modp1024}<BR>Mar 14 19:52:53 ap-de pluto[21515]: "CONN2" #4: initiating
Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP {using isakmp#3}<BR>Mar 14 19:52:53
ap-de pluto[21515]: "CONN2" #3: ignoring informational payload, type
IPSEC_RESPONDER_LIFETIME<BR>Mar 14 19:52:53 ap-de pluto[21515]: "CONN2" #3:
received and ignored informational message<BR>Mar 14 19:52:53 ap-de
pluto[21515]: "CONN2" #4: ignoring informational payload, type
IPSEC_RESPONDER_LIFETIME<BR>Mar 14 19:52:53 ap-de pluto[21515]: "CONN2" #4:
transition from state STATE_QUICK_I1 to state STATE_QUICK_I2<BR>Mar 14
19:52:53 ap-de pluto[21515]: "CONN2" #4: STATE_QUICK_I2: sent QI2, IPsec SA
established {ESP=>0x9639e7fb <0x2d4a4701 xfrm=3DES_0-HMAC_MD5 NATD=none
DPD=none}<BR>Mar 14 19:52:55 ap-de pluto[21515]: "CONN2" #3: ignoring Delete
SA payload: PROTO_IPSEC_ESP SA(0xa720ec72) not found (maybe expired)<BR>Mar 14
19:52:55 ap-de pluto[21515]: "CONN2" #3: received and ignored informational
message<BR><BR><BR>do you have a hint on how to make both connections working
in parallel?<BR>Thank you very
much<BR>Jofre<BR><BR><BR></BLOCKQUOTE></BODY></HTML>