<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN" "http://www.w3.org/TR/REC-html40/strict.dtd"><html><head><meta name="qrichtext" content="1" /><style type="text/css">p, li { white-space: pre-wrap; }</style></head><body style=" font-family:'Sans Serif'; font-size:11pt; font-weight:400; font-style:normal;">Hello,<br>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><br></p>since I upgraded from F10 (openswan-2.6.19) to F11 (openswan-2.6.21+nss.patch) I have problems to instantiate multiple tunnels between the gateway and the roadwarrior. Prior to upgrade everything worked. Except from some time ipsec.exe on Windows XP instantiates only the first tunnel it finds (it used to work before). My question is not about that but if anybody knows I will be happy on any advice on that.<br>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><br></p>The real problem is this:<br>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><br></p>I have configured tunnel A and B on gateway. They differ only in the rightsubnet behind gateway. They are loaded in the order A and B on the gw side.<br>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><br></p>Windows XP instantiates tunnel B.<br>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><br></p>I get this in the log:<br>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><br></p>Jun 26 11:02:42 gw pluto[15235]: "X"[3] WinpublicIP #94: Main mode peer ID is ID_DER_ASN1_DN: 'WinID'<br>
Jun 26 11:02:42 gw pluto[15235]: "X"[3] WinpublicIP #94: switched from "X" to "A"<br>
Jun 26 11:02:42 gw pluto[15235]: "A"[1] WinpublicIP #94: I am sending my cert<br>
Jun 26 11:02:42 gw pluto[15235]: "A"[1] WinpublicIP #94: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3<br>
Jun 26 11:02:42 gw pluto[15235]: "A"[1] WinpublicIP #94: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}<br>
Jun 26 11:02:42 gw pluto[15235]: "A"[1] WinpublicIP #94: the peer proposed: Brightiprange:0/0 -> WinpublicIP:0/0<br>
Jun 26 11:02:42 gw pluto[15235]: "A"[1] WinpublicIP #94: peer proposal was reject in a virtual connection policy because:<br>
Jun 26 11:02:42 gw pluto[15235]: "A"[1] WinpublicIP #94: a private network virtual IP was required, but the proposed IP did not match our list (virtual_private=)<br>
... this is probably due to public ip on windows without NAT and is probably harmless, am I right?<br>
Jun 26 11:02:42 gw pluto[15235]: "A"[1] WinpublicIP #94: cannot respond to IPsec SA request because no connection is known for Brightsubnet===gwpublicip<gwpublicip>[...gwID...,+S=C]...WinpublicIP[...WinID...,+S=C]<br>
Jun 26 11:02:42 gw pluto[15235]: "A"[1] WinpublicIP #94: sending encrypted notification INVALID_ID_INFORMATION to WinpublicIP:500<br>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><br></p>The problem arises when gw thinks Windos is trying to instantiate tunnel A, not B. How can I override this? It used to work before upgrade.<br>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><br></p>Old log, when it worked:<br>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><br></p>Jun 24 01:36:03 gw pluto[7102]: "A"[1] WinpublicIP #1: the peer proposed: Brightsubnet:0/0 -> WindowsIPbehindNAT:0/0<br>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><br></p>... this time the windows was NAT-ted ...<br>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><br></p>Jun 24 01:36:03 gw pluto[7102]: "B"[1] WinrouterpublicIP #2: responding to Quick Mode proposal {msgid:......}<br>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><br></p>... it fluently switched from tunnel A to B.<br>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><br></p><p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><br></p>Any help appreciated.<br>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><br></p>Thank you.<br>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><br></p>-- <br>
Marek Greško<br>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><br></p></body></html>