I think you are right. <br>I just successfully tested a third a connection that uses another certificate and it works fine in parallel with one of the previous ones.<br>Thanks for your fast answer. <br>Jofre<br><br><br><div class="gmail_quote">
On Fri, Mar 14, 2008 at 8:22 PM, Peter McGill <<a href="mailto:petermcgill@goco.net">petermcgill@goco.net</a>> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div>
<div dir="ltr" align="left"><span><font color="#0000ff" face="Arial" size="2">I might be because your using the same cert for both
right's...</font></span></div>
<div dir="ltr" align="left"><span><font color="#0000ff" face="Arial" size="2">Each host should have it's own cert.</font></span></div>
<div> </div>
<div align="left"><font face="Arial" size="2">Peter McGill</font></div>
<div> </div><br>
<blockquote style="border-left: 2px solid rgb(0, 0, 255); padding-left: 5px; margin-left: 5px; margin-right: 0px;">
<div dir="ltr" align="left" lang="en-us">
<hr>
<font face="Tahoma" size="2"><b>From:</b> <a href="mailto:users-bounces@openswan.org" target="_blank">users-bounces@openswan.org</a>
[mailto:<a href="mailto:users-bounces@openswan.org" target="_blank">users-bounces@openswan.org</a>] <b>On Behalf Of </b>Jofre
Palau<br><b>Sent:</b> March 14, 2008 3:07 PM<br><b>To:</b>
<a href="mailto:users@openswan.org" target="_blank">users@openswan.org</a><br><b>Subject:</b> [Openswan Users] Setting a second tunnel
stop the first one<br></font><br></div><div><div></div><div class="Wj3C7c">
<div></div>Hi,<br>I have the following configuration:<br><br>version
2.0 <br>config
setup<br>
klipsdebug=all<br>
plutodebug=none<br>
nat_traversal=no<br>
interfaces=%defaultroute<br><br>conn
CONN1<br> right=<a href="http://domain1.net" target="_blank">domain1.net</a><br>
rightsubnet=<a href="http://11.22.33.44/32" target="_blank">11.22.33.44/32</a><br>
rightnexthop=%defaultroute<br>
#left=%defaultroute<br> left=<a href="http://192.168.0.21" target="_blank">192.168.0.21</a><br>
leftid=@<a href="http://domain3.net" target="_blank">domain3.net</a><br>
authby=rsasig<br>
ikelifetime=24h<br> #Certificate
Information<br>
rightcert="/etc/ipsec.d/certs/ap-it.crt.pem"<br>
leftcert="/etc/ipsec.d/certs/ap-de.crt.pem"<br>
auto=add<br><br>conn CONN2<br>
right=<a href="http://domain2.net" target="_blank">domain2.net</a><br>
rightsubnet=<a href="http://22.33.44.55/32" target="_blank">22.33.44.55/32</a><br>
rightnexthop=%defaultroute<br>
left=%defaultroute<br> leftid=@<a href="http://domain3.net" target="_blank">domain3.net</a><br>
authby=rsasig<br>
ikelifetime=24h<br> #Certificate
Information<br>
rightcert="/etc/ipsec.d/certs/ap-it.crt.pem"<br>
leftcert="/etc/ipsec.d/certs/ap-de.crt.pem"<br>
auto=add<br><br><br>both connections work fine, if alone, but every time I
start one<br>with ipsec auto --up CONN1 <br>or ipsec auto --up
CONN2<br><br>the first one stops working<br><br>IŽd like to be able have both
up and running in parallel:<br><br><br>Mar 14 19:52:11 ap-de pluto[21515]:
"CONN1" #1: initiating Main Mode<br>Mar 14 19:52:11 ap-de pluto[21515]:
"CONN1" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2<br>Mar
14 19:52:11 ap-de pluto[21515]: "CONN1" #1: STATE_MAIN_I2: sent MI2, expecting
MR2<br>Mar 14 19:52:12 ap-de pluto[21515]: "CONN1" #1: ignoring unknown Vendor
ID payload [4683d866e51b99451c54656c646174]<br>Mar 14 19:52:12 ap-de
pluto[21515]: "CONN1" #1: received Vendor ID payload [Cisco-Unity]<br>Mar 14
19:52:12 ap-de pluto[21515]: "CONN1" #1: received Vendor ID payload
[XAUTH]<br>Mar 14 19:52:12 ap-de pluto[21515]: "CONN1" #1: received Vendor ID
payload [Dead Peer Detection]<br>Mar 14 19:52:12 ap-de pluto[21515]: "CONN1"
#1: I am sending my cert<br>Mar 14 19:52:12 ap-de pluto[21515]: "CONN1" #1: I
am sending a certificate request<br>Mar 14 19:52:12 ap-de pluto[21515]:
"CONN1" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3<br>Mar
14 19:52:12 ap-de pluto[21515]: "CONN1" #1: STATE_MAIN_I3: sent MI3, expecting
MR3<br>Mar 14 19:52:12 ap-de pluto[21515]: "CONN1" #1: Main mode peer ID is
ID_DER_ASN1_DN: 'abc'<br>Mar 14 19:52:12 ap-de pluto[21515]: "CONN1" #1: no
crl from issuer "xyz" found (strict=no)<br>Mar 14 19:52:12 ap-de pluto[21515]:
"CONN1" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4<br>Mar
14 19:52:12 ap-de pluto[21515]: "CONN1" #1: STATE_MAIN_I4: ISAKMP SA
established {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_md5
group=modp1024}<br>Mar 14 19:52:12 ap-de pluto[21515]: "CONN1" #2: initiating
Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}<br>Mar 14 19:52:12
ap-de pluto[21515]: "CONN1" #1: ignoring informational payload, type
IPSEC_RESPONDER_LIFETIME<br>Mar 14 19:52:12 ap-de pluto[21515]: "CONN1" #1:
received and ignored informational message<br>Mar 14 19:52:12 ap-de
pluto[21515]: "CONN1" #2: ignoring informational payload, type
IPSEC_RESPONDER_LIFETIME<br>Mar 14 19:52:12 ap-de pluto[21515]: "CONN1" #2:
transition from state STATE_QUICK_I1 to state STATE_QUICK_I2<br>Mar 14
19:52:12 ap-de pluto[21515]: "CONN1" #2: STATE_QUICK_I2: sent QI2, IPsec SA
established {ESP=>0x3576fc2d <0xdc5bda95 xfrm=3DES_0-HMAC_MD5 NATD=none
DPD=none}<br>Mar 14 19:52:13 ap-de pluto[21515]: "CONN1" #1: ignoring Delete
SA payload: PROTO_IPSEC_ESP SA(0x886bb9ed) not found (maybe expired)<br>Mar 14
19:52:13 ap-de pluto[21515]: "CONN1" #1: received and ignored informational
message<br><br><here I start CONN2 ><br><br>Mar 14 19:52:52 ap-de
pluto[21515]: "CONN2" #3: initiating Main Mode<br>Mar 14 19:52:52 ap-de
pluto[21515]: "CONN2" #3: transition from state STATE_MAIN_I1 to state
STATE_MAIN_I2<br>Mar 14 19:52:52 ap-de pluto[21515]: "CONN2" #3:
STATE_MAIN_I2: sent MI2, expecting MR2<br>Mar 14 19:52:52 ap-de pluto[21515]:
"CONN2" #3: ignoring unknown Vendor ID payload
[4d5debb3210ca0388954656c646174]<br>Mar 14 19:52:52 ap-de pluto[21515]:
"CONN2" #3: received Vendor ID payload [Cisco-Unity]<br>Mar 14 19:52:52 ap-de
pluto[21515]: "CONN2" #3: received Vendor ID payload [XAUTH]<br>Mar 14
19:52:52 ap-de pluto[21515]: "CONN2" #3: received Vendor ID payload [Dead Peer
Detection]<br>Mar 14 19:52:52 ap-de pluto[21515]: "CONN2" #3: I am sending my
cert<br>Mar 14 19:52:52 ap-de pluto[21515]: "CONN2" #3: I am sending a
certificate request<br>Mar 14 19:52:52 ap-de pluto[21515]: "CONN2" #3:
transition from state STATE_MAIN_I2 to state STATE_MAIN_I3<br>Mar 14 19:52:52
ap-de pluto[21515]: "CONN2" #3: STATE_MAIN_I3: sent MI3, expecting MR3<br>Mar
14 19:52:53 ap-de pluto[21515]: "CONN2" #3: Main mode peer ID is
ID_DER_ASN1_DN: 'abc'<br>Mar 14 19:52:53 ap-de pluto[21515]: "CONN2" #3: no
crl from issuer "xyz" found (strict=no)<br><br>Mar 14 19:52:53 ap-de
pluto[21515]: "CONN1" #2: deleting state (STATE_QUICK_I2)<br>Mar 14 19:52:53
ap-de pluto[21515]: "CONN1" #1: deleting state (STATE_MAIN_I4)<br><br><
here CONN1 stops working ><br><br>Mar 14 19:52:53 ap-de pluto[21515]:
"CONN2" #3: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4<br>Mar
14 19:52:53 ap-de pluto[21515]: "CONN2" #3: STATE_MAIN_I4: ISAKMP SA
established {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_md5
group=modp1024}<br>Mar 14 19:52:53 ap-de pluto[21515]: "CONN2" #4: initiating
Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP {using isakmp#3}<br>Mar 14 19:52:53
ap-de pluto[21515]: "CONN2" #3: ignoring informational payload, type
IPSEC_RESPONDER_LIFETIME<br>Mar 14 19:52:53 ap-de pluto[21515]: "CONN2" #3:
received and ignored informational message<br>Mar 14 19:52:53 ap-de
pluto[21515]: "CONN2" #4: ignoring informational payload, type
IPSEC_RESPONDER_LIFETIME<br>Mar 14 19:52:53 ap-de pluto[21515]: "CONN2" #4:
transition from state STATE_QUICK_I1 to state STATE_QUICK_I2<br>Mar 14
19:52:53 ap-de pluto[21515]: "CONN2" #4: STATE_QUICK_I2: sent QI2, IPsec SA
established {ESP=>0x9639e7fb <0x2d4a4701 xfrm=3DES_0-HMAC_MD5 NATD=none
DPD=none}<br>Mar 14 19:52:55 ap-de pluto[21515]: "CONN2" #3: ignoring Delete
SA payload: PROTO_IPSEC_ESP SA(0xa720ec72) not found (maybe expired)<br>Mar 14
19:52:55 ap-de pluto[21515]: "CONN2" #3: received and ignored informational
message<br><br><br>do you have a hint on how to make both connections working
in parallel?<br>Thank you very
much<br>Jofre<br><br><br></div></div></blockquote></div>
</blockquote></div><br>