<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns:p="urn:schemas-microsoft-com:office:powerpoint" xmlns:a="urn:schemas-microsoft-com:office:access" xmlns:dt="uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" xmlns:s="uuid:BDC6E3F0-6DA3-11d1-A2A3-00AA00C14882" xmlns:rs="urn:schemas-microsoft-com:rowset" xmlns:z="#RowsetSchema" xmlns:b="urn:schemas-microsoft-com:office:publisher" xmlns:ss="urn:schemas-microsoft-com:office:spreadsheet" xmlns:c="urn:schemas-microsoft-com:office:component:spreadsheet" xmlns:odc="urn:schemas-microsoft-com:office:odc" xmlns:oa="urn:schemas-microsoft-com:office:activation" xmlns:html="http://www.w3.org/TR/REC-html40" xmlns:q="http://schemas.xmlsoap.org/soap/envelope/" xmlns:rtc="http://microsoft.com/officenet/conferencing" xmlns:D="DAV:" xmlns:Repl="http://schemas.microsoft.com/repl/" xmlns:mt="http://schemas.microsoft.com/sharepoint/soap/meetings/" xmlns:x2="http://schemas.microsoft.com/office/excel/2003/xml" xmlns:ppda="http://www.passport.com/NameSpace.xsd" xmlns:ois="http://schemas.microsoft.com/sharepoint/soap/ois/" xmlns:dir="http://schemas.microsoft.com/sharepoint/soap/directory/" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:dsp="http://schemas.microsoft.com/sharepoint/dsp" xmlns:udc="http://schemas.microsoft.com/data/udc" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:sub="http://schemas.microsoft.com/sharepoint/soap/2002/1/alerts/" xmlns:ec="http://www.w3.org/2001/04/xmlenc#" xmlns:sp="http://schemas.microsoft.com/sharepoint/" xmlns:sps="http://schemas.microsoft.com/sharepoint/soap/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:udcs="http://schemas.microsoft.com/data/udc/soap" xmlns:udcxf="http://schemas.microsoft.com/data/udc/xmlfile" xmlns:udcp2p="http://schemas.microsoft.com/data/udc/parttopart" xmlns:wf="http://schemas.microsoft.com/sharepoint/soap/workflow/" xmlns:dsss="http://schemas.microsoft.com/office/2006/digsig-setup" xmlns:dssi="http://schemas.microsoft.com/office/2006/digsig" xmlns:mdssi="http://schemas.openxmlformats.org/package/2006/digital-signature" xmlns:mver="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns:mrels="http://schemas.openxmlformats.org/package/2006/relationships" xmlns:spwp="http://microsoft.com/sharepoint/webpartpages" xmlns:ex12t="http://schemas.microsoft.com/exchange/services/2006/types" xmlns:ex12m="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:pptsl="http://schemas.microsoft.com/sharepoint/soap/SlideLibrary/" xmlns:spsl="http://microsoft.com/webservices/SharePointPortalServer/PublishedLinksService" xmlns:Z="urn:schemas-microsoft-com:" xmlns:st="" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
span.EmailStyle18
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
/* List Definitions */
@list l0
{mso-list-id:2031687575;
mso-list-type:hybrid;
mso-list-template-ids:-1861330238 -646122848 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l0:level1
{mso-level-start-at:0;
mso-level-number-format:bullet;
mso-level-text:-;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Calibri","sans-serif";
mso-fareast-font-family:Calibri;}
@list l0:level2
{mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level3
{mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level4
{mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level5
{mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level6
{mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level7
{mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level8
{mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level9
{mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><span style='color:#1F497D'>Oh yes – and watching
/var/log/secure –f, I see lots of SA Established messages, generally followed
by a bunch of other messages. Here is a sample:<o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'>Jun 10 00:23:39 localhost
pluto[32341]: "colo-hqmain" #94: STATE_QUICK_I2: sent QI2, IPsec SA
established tunnel mode {ESP=>0xbc7fa7b2 <0x8960d6a9
xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=none}<o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'>Jun 10 00:23:40 localhost
pluto[32341]: initiate on demand from 175.7.0.254:8 to 175.8.1.254:0 proto=1 state:
fos_start because: acquire<o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'>Jun 10 00:23:40 localhost
pluto[32341]: "colo-hqmirror" #95: initiating Quick Mode
RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW {using isakmp#19 msgid:43388045
proposal=defaults pfsgroup=OAKLEY_GROUP_MODP2048}<o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'>Jun 10 00:23:40 localhost
pluto[32341]: "colo-hqmirror" #95: transition from state
STATE_QUICK_I1 to state STATE_QUICK_I2<o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'>Jun 10 00:23:40 localhost
pluto[32341]: "colo-hqmirror" #95: STATE_QUICK_I2: sent QI2, IPsec SA
established tunnel mode {ESP=>0xe1de3dcb <0xe9e58a27 xfrm=AES_128-HMAC_SHA1
NATOA=none NATD=none DPD=none}<o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'>Jun 10 00:24:18 localhost
pluto[32341]: initiate on demand from 175.10.0.1:8 to 175.9.1.1:0 proto=1
state: fos_start because: acquire<o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'>Jun 10 00:24:18 localhost
pluto[32341]: "colo-hqmain" #96: initiating Quick Mode
RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW {using isakmp#10 msgid:8b21c369
proposal=defaults pfsgroup=OAKLEY_GROUP_MODP2048}<o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'>Jun 10 00:24:18 localhost
pluto[32341]: "colo-hqmain" #96: transition from state STATE_QUICK_I1
to state STATE_QUICK_I2<o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'>Jun 10 00:24:18 localhost
pluto[32341]: "colo-hqmain" #96: STATE_QUICK_I2: sent QI2, IPsec SA
established tunnel mode {ESP=>0x624f259e <0x0a8b7ec8
xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=none}<o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>
users-bounces@openswan.org [mailto:users-bounces@openswan.org] <b>On Behalf Of </b>Greg
Scott<br>
<b>Sent:</b> Thursday, June 10, 2010 12:17 AM<br>
<b>To:</b> users@openswan.org<br>
<b>Subject:</b> [Openswan Users] Two tunnels between the same hosts;one works,
the other works sometimes<o:p></o:p></span></p>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>Here we go again….<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>I have two sites named HQ and colo. HQ is on the
right, colo is on the left. The HQ site has two LANS; 175.10.0.0/16 and
175.7.0.0/16. The colo site also has two LANS, 175.8.0.0/16 and
175.9.0.0/16. To simplify the tunnel setup, I supernetted the colo site,
so now it’s 175.8.0.0/15. <o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>So by my count, I need 2 tunnels:<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>Colo-hqmain<o:p></o:p></p>
<p class=MsoNormal>Colo-hqmirror<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>Colo-hqmain generally comes up and works reliably.
Colo-hqmirror has problems. Sometimes both tunnels will come up, other
times one or the other works. Sometimes after 10-15 minutes, they will
both come up with each other. <o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>I tested all this in a simulated environment and naturally
it worked well here. Of course, now it’s flakey in production. The
HQ site is using Openswan 2.6.25 with Fedora 12. The colo site is older
and uses Openswan 2.4.4 with Fedora Core 5. <o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>Why two tunnels to the same sites? Well, some
Storagetek devices that mirror each other need NICs in different subnets.<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>Here are some more bizarre symptoms. All colo subnets
can ping all HQ subnets. However, only some subnets from HQ can ping some
colo subnets, and this seems to change with the passage of time. For
example, a few minutes ago, the 175.10 subnet could ping everything in the colo
site. But when the 175.7 subnet tried to ping anything in the colo site, the
pings returned “Operation not permitted”. Now 175.10 can ping 175.8
and 175.7 can ping 175.9. But 175.7 cannot ping 175.8 and a 175.10 cannot
ping 175.9. That’s from the HQ site. When pings come from the colo
site, all pings work. Try keeping that straight. <o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>One more complicating factor. The HQ site has 2 nodes
that act together in an active/standby pair. Both nodes have identical
configurations right down to the MAC Addresses on all the NICs. I
ran through several failovers in my testing here and all worked fine. I
used the real HQ nodes and a simulated Internet and simulated colo site.
But now in production, this flakey behavior shows itself. <o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>I guess maybe I’ll try to build an openswan-2.6.25 from the
.tar file on the colo site and maybe it will behave a little better. Any
other thoughts?<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>Thanks<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoListParagraph style='text-indent:-.25in;mso-list:l0 level1 lfo2'><![if !supportLists]><span
style='mso-list:Ignore'>-<span style='font:7.0pt "Times New Roman"'>
</span></span><![endif]>Greg Scott<o:p></o:p></p>
</div>
</body>
</html>