Hi everyone,<br><br>First of all, sorry about the amount of information here and my bad english (I'm brazilian). Dispite of that, I'm here to ask for help.<br><br>I'm new using OpenSwan IPsec and I'm having some difficulties to configure two VPN connections with the same remote server.<br>
<br>The network map works like this: Client Server -> My Firewall -> OpenSwan Server in DMZ -> Processing server in DMZ<br><br>On the firewall (shorewall), I created two tunnels, zones em hosts. <br><br>My shorewall files:<br>
<br>tunnells<br>ipsec net 200.x.x.x conn1,conn2<br><br>hosts<br>conn1 eth0:<a href="http://192.168.102.0/24,200.x.x.x">192.168.102.0/24,200.x.x.x</a> ipsec<br>conn2 eth0:<a href="http://10.201.136.0/21,200.x.x.x">10.201.136.0/21,200.x.x.x</a> ipsec<br>
<br>zones<br>conn1 ipsec<br>conn2 ipsec<br><br>My policy file accept everything incoming from or outcoming to this zones.<br><br>When incoming, a NAT rule forward the packages to the OpenSwan server.<br><br>On the OpenSwan server, I created the two connections to the same
remote IP. Each one works with a diferent remote subnet
(<a href="http://192.168.102.0/29">192.168.102.0/29</a> and <a href="http://10.201.136.0/21">10.201.136.0/21</a>). This server works with
shorewall too. I need to forward 3 types of packages to another two
servers on the same subnet (192.168.1.x).<br>
<br>
I'm succesfully connected to the first subnet (192.x.x.x) but, with the second one, the most important (always like this), I don't receive any packages.<br><br>My ipsec.conf is something like this (using PSK):<br>
<br>conn 1<br> right=192.168.1.224<br> #rightnexthop=<br> rightsubnet=<a href="http://192.168.1.224/32">192.168.1.224/32</a><br> #rightid=<br> left=200.x.x.x<br> #leftnexthop=<br>
leftsubnet=<a href="http://192.168.102.0/24">192.168.102.0/24</a><br> keyexchange=ike<br> ike=3des-md5-modp1024<br> esp=3des-md5<br> #ah=3des-md5<br> ikelifetime=28800s<br> #keylife=28800s<br>
pfs=no<br> compress=no<br> authby=secret<br> auto=start<br> aggrmode=no<br><br>conn 2<br> right=192.168.1.224<br> #rightnexthop=<br> rightsubnet=<a href="http://192.168.1.224/32">192.168.1.224/32</a><br>
#rightid=<br> left=200.x.x.x<br> #leftnexthop=<br> leftsubnet=<a href="http://10.201.136.0/21">10.201.136.0/21</a><br> keyexchange=ike<br> ike=3des-md5-modp1024<br> esp=3des-md5<br>
#ah=3des-md5<br> ikelifetime=28800s<br> keylife=28800s<br> pfs=no<br> compress=no<br> authby=secret<br> auto=start<br> aggrmode=no<br><br>Inside my openswan.log:<br>
<br>"conn1" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2<br>"conn1" #2: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x0d243b91 <0x964680c9 xfrm=3DES_0-HMAC_MD5 NATD=200.x.x.x:4500 DPD=none}<br>
"conn2" #3: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2<br>"conn2" #3: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x09bf8953 <0xea5fc696 xfrm=3DES_0-HMAC_MD5 NATD=200.x.x.x:4500 DPD=none}<br>
<br>Inside my syslog, there is something like this:<br><br>Jun 5 16:03:43 conn2 ipsec_setup: Starting Openswan IPsec 2.4.9...<br>Jun 5 16:03:44 conn2 ipsec__plutorun: 104 "conn2" #1: STATE_MAIN_I1: initiate<br>
Jun 5 16:03:44 conn2 ipsec__plutorun: ...could not start conn "conn2"<br><br>On the first log it shows an established connection, but, in the other way, the "conn2" didn't started.<br><br>Can someone help me whit that? I need some tips to finish this task.<br>
<br>Best regards,<br><br>Joćo K.<br><br><br>