Hi,<br>I have the following configuration:<br><br>version 2.0 <br>config setup<br> klipsdebug=all<br> plutodebug=none<br> nat_traversal=no<br> interfaces=%defaultroute<br><br>conn CONN1<br> right=<a href="http://domain1.net">domain1.net</a><br>
rightsubnet=<a href="http://11.22.33.44/32">11.22.33.44/32</a><br> rightnexthop=%defaultroute<br> #left=%defaultroute<br> left=<a href="http://192.168.0.21">192.168.0.21</a><br> leftid=@<a href="http://domain3.net">domain3.net</a><br>
authby=rsasig<br> ikelifetime=24h<br> #Certificate Information<br> rightcert="/etc/ipsec.d/certs/ap-it.crt.pem"<br> leftcert="/etc/ipsec.d/certs/ap-de.crt.pem"<br> auto=add<br>
<br>conn CONN2<br> right=<a href="http://domain2.net">domain2.net</a><br> rightsubnet=<a href="http://22.33.44.55/32">22.33.44.55/32</a><br> rightnexthop=%defaultroute<br> left=%defaultroute<br>
leftid=@<a href="http://domain3.net">domain3.net</a><br> authby=rsasig<br> ikelifetime=24h<br> #Certificate Information<br> rightcert="/etc/ipsec.d/certs/ap-it.crt.pem"<br> leftcert="/etc/ipsec.d/certs/ap-de.crt.pem"<br>
auto=add<br><br><br>both connections work fine, if alone, but every time I start one<br>with ipsec auto --up CONN1 <br>or ipsec auto --up CONN2<br>
<br>the first one stops working<br><br>IŽd like to be able have both up and running in parallel:<br><br><br>Mar 14 19:52:11 ap-de pluto[21515]: "CONN1" #1: initiating Main Mode<br>Mar 14 19:52:11 ap-de pluto[21515]: "CONN1" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2<br>
Mar 14 19:52:11 ap-de pluto[21515]: "CONN1" #1: STATE_MAIN_I2: sent MI2, expecting MR2<br>Mar 14 19:52:12 ap-de pluto[21515]: "CONN1" #1: ignoring unknown Vendor ID payload [4683d866e51b99451c54656c646174]<br>
Mar 14 19:52:12 ap-de pluto[21515]: "CONN1" #1: received Vendor ID payload [Cisco-Unity]<br>Mar 14 19:52:12 ap-de pluto[21515]: "CONN1" #1: received Vendor ID payload [XAUTH]<br>Mar 14 19:52:12 ap-de pluto[21515]: "CONN1" #1: received Vendor ID payload [Dead Peer Detection]<br>
Mar 14 19:52:12 ap-de pluto[21515]: "CONN1" #1: I am sending my cert<br>Mar 14 19:52:12 ap-de pluto[21515]: "CONN1" #1: I am sending a certificate request<br>Mar 14 19:52:12 ap-de pluto[21515]: "CONN1" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3<br>
Mar 14 19:52:12 ap-de pluto[21515]: "CONN1" #1: STATE_MAIN_I3: sent MI3, expecting MR3<br>Mar 14 19:52:12 ap-de pluto[21515]: "CONN1" #1: Main mode peer ID is ID_DER_ASN1_DN: 'abc'<br>Mar 14 19:52:12 ap-de pluto[21515]: "CONN1" #1: no crl from issuer "xyz" found (strict=no)<br>
Mar 14 19:52:12 ap-de pluto[21515]: "CONN1" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4<br>Mar 14 19:52:12 ap-de pluto[21515]: "CONN1" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1024}<br>
Mar 14 19:52:12 ap-de pluto[21515]: "CONN1" #2: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}<br>Mar 14 19:52:12 ap-de pluto[21515]: "CONN1" #1: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME<br>
Mar 14 19:52:12 ap-de pluto[21515]: "CONN1" #1: received and ignored informational message<br>Mar 14 19:52:12 ap-de pluto[21515]: "CONN1" #2: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME<br>
Mar 14 19:52:12 ap-de pluto[21515]: "CONN1" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2<br>Mar 14 19:52:12 ap-de pluto[21515]: "CONN1" #2: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x3576fc2d <0xdc5bda95 xfrm=3DES_0-HMAC_MD5 NATD=none DPD=none}<br>
Mar 14 19:52:13 ap-de pluto[21515]: "CONN1" #1: ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0x886bb9ed) not found (maybe expired)<br>Mar 14 19:52:13 ap-de pluto[21515]: "CONN1" #1: received and ignored informational message<br>
<br><here I start CONN2 ><br><br>Mar 14 19:52:52 ap-de pluto[21515]: "CONN2" #3: initiating Main Mode<br>Mar 14 19:52:52 ap-de pluto[21515]: "CONN2" #3: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2<br>
Mar 14 19:52:52 ap-de pluto[21515]: "CONN2" #3: STATE_MAIN_I2: sent MI2, expecting MR2<br>Mar 14 19:52:52 ap-de pluto[21515]: "CONN2" #3: ignoring unknown Vendor ID payload [4d5debb3210ca0388954656c646174]<br>
Mar 14 19:52:52 ap-de pluto[21515]: "CONN2" #3: received Vendor ID payload [Cisco-Unity]<br>Mar 14 19:52:52 ap-de pluto[21515]: "CONN2" #3: received Vendor ID payload [XAUTH]<br>Mar 14 19:52:52 ap-de pluto[21515]: "CONN2" #3: received Vendor ID payload [Dead Peer Detection]<br>
Mar 14 19:52:52 ap-de pluto[21515]: "CONN2" #3: I am sending my cert<br>Mar 14 19:52:52 ap-de pluto[21515]: "CONN2" #3: I am sending a certificate request<br>Mar 14 19:52:52 ap-de pluto[21515]: "CONN2" #3: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3<br>
Mar 14 19:52:52 ap-de pluto[21515]: "CONN2" #3: STATE_MAIN_I3: sent MI3, expecting MR3<br>Mar 14 19:52:53 ap-de pluto[21515]: "CONN2" #3: Main mode peer ID is ID_DER_ASN1_DN: 'abc'<br>Mar 14 19:52:53 ap-de pluto[21515]: "CONN2" #3: no crl from issuer "xyz" found (strict=no)<br>
<br>Mar 14 19:52:53 ap-de pluto[21515]: "CONN1" #2: deleting state (STATE_QUICK_I2)<br>Mar 14 19:52:53 ap-de pluto[21515]: "CONN1" #1: deleting state (STATE_MAIN_I4)<br><br>< here CONN1 stops working ><br>
<br>Mar 14 19:52:53 ap-de pluto[21515]: "CONN2" #3: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4<br>Mar 14 19:52:53 ap-de pluto[21515]: "CONN2" #3: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1024}<br>
Mar 14 19:52:53 ap-de pluto[21515]: "CONN2" #4: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP {using isakmp#3}<br>Mar 14 19:52:53 ap-de pluto[21515]: "CONN2" #3: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME<br>
Mar 14 19:52:53 ap-de pluto[21515]: "CONN2" #3: received and ignored informational message<br>Mar 14 19:52:53 ap-de pluto[21515]: "CONN2" #4: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME<br>
Mar 14 19:52:53 ap-de pluto[21515]: "CONN2" #4: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2<br>Mar 14 19:52:53 ap-de pluto[21515]: "CONN2" #4: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x9639e7fb <0x2d4a4701 xfrm=3DES_0-HMAC_MD5 NATD=none DPD=none}<br>
Mar 14 19:52:55 ap-de pluto[21515]: "CONN2" #3: ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0xa720ec72) not found (maybe expired)<br>Mar 14 19:52:55 ap-de pluto[21515]: "CONN2" #3: received and ignored informational message<br>
<br><br>do you have a hint on how to make both connections working in parallel?<br>Thank you very much<br>Jofre<br><br><br>