<div>For some reason, this IPSEC setup is giving me grief.</div><div><br></div><div>The linux box has an external IP on one interface, private IP on another interface. Remote SRX has a similar setup.</div><div><br></div><div>
Tunnel #1 will establish. Shortly after, hosts on the Linux-side will cause Linux openswan to do "initiate on demand" for additional tunnels.</div><div><br></div><div><div><div>Jan 28 19:53:24 pluto[16783]: "idc" #1: Main mode peer ID is ID_IPV4_ADDR: '74.115.217.200'</div>
<div>Jan 28 19:53:24 pluto[16783]: "idc" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4</div><div>Jan 28 19:53:24 pluto[16783]: "idc" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_sha group=modp1024}</div>
<div>Jan 28 19:53:24 pluto[16783]: "idc" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1 msgid:10363b3c proposal=AES(12)_128-SHA1(2)_160 pfsgroup=OAKLEY_GROUP_MODP1024}</div><div>Jan 28 19:53:24 pluto[16783]: initiate on demand from <a href="http://192.168.90.63:35718">192.168.90.63:35718</a> to <a href="http://172.30.77.45:514">172.30.77.45:514</a> proto=6 state: fos_start because: acquire</div>
<div>Jan 28 19:53:24 pluto[16783]: "idc" #3: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1 msgid:35785a77 proposal=AES(12)_128-SHA1(2)_160 pfsgroup=OAKLEY_GROUP_MODP1024}</div><div>Jan 28 19:53:25 pluto[16783]: initiate on demand from <a href="http://192.168.90.62:39367">192.168.90.62:39367</a> to <a href="http://172.30.77.45:514">172.30.77.45:514</a> proto=6 state: fos_start because: acquire</div>
<div>Jan 28 19:53:25 pluto[16783]: "idc" #4: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1 msgid:5ecd6abe proposal=AES(12)_128-SHA1(2)_160 pfsgroup=OAKLEY_GROUP_MODP1024}</div><div>Jan 28 19:53:25 pluto[16783]: initiate on demand from <a href="http://192.168.90.53:57649">192.168.90.53:57649</a> to <a href="http://172.30.77.45:514">172.30.77.45:514</a> proto=6 state: fos_start because: acquire</div>
<div>Jan 28 19:53:25 pluto[16783]: "idc" #5: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1 msgid:16951daf proposal=AES(12)_128-SHA1(2)_160 pfsgroup=OAKLEY_GROUP_MODP1024}</div><div>Jan 28 19:53:25 pluto[16783]: initiate on demand from <a href="http://192.168.90.56:54443">192.168.90.56:54443</a> to <a href="http://172.30.77.45:514">172.30.77.45:514</a> proto=6 state: fos_start because: acquire</div>
<div>Jan 28 19:53:25 pluto[16783]: "idc" #6: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1 msgid:76919e72 proposal=AES(12)_128-SHA1(2)_160 pfsgroup=OAKLEY_GROUP_MODP1024}</div><div>Jan 28 19:53:26 pluto[16783]: initiate on demand from <a href="http://192.168.90.51:40954">192.168.90.51:40954</a> to <a href="http://172.30.77.45:514">172.30.77.45:514</a> proto=6 state: fos_start because: acquire</div>
<div>Jan 28 19:53:26 pluto[16783]: "idc" #7: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1 msgid:e2df2600 proposal=AES(12)_128-SHA1(2)_160 pfsgroup=OAKLEY_GROUP_MODP1024}</div><div><br></div>
</div>
</div><div>The config is fairly basic. The initiate on demands won't stop -- it goes in to the thousands of range.</div><div><br></div><div><div>conn dc</div><div> auto=start</div><div> pfs=yes</div><div>
authby=secret</div><div> ikev2=no</div><div> ike=aes128-sha1</div><div> phase2alg=aes128-sha1</div><div> salifetime=8h</div><div> ikelifetime=1h</div><div> type=tunnel</div>
<div> rekey=yes</div><div><br></div><div> left=89.202.x.x</div><div> leftsourceip=192.168.90.200</div><div> leftsubnet=<a href="http://192.168.90.0/24">192.168.90.0/24</a></div><div> right=74.115.x.x</div>
<div> rightsubnet=<a href="http://172.30.0.0/16">172.30.0.0/16</a></div></div><div><br></div><div>Any clues why it's not using the already established tunnel?</div><div><br></div><div>Thanks.</div><div><br></div>
<div>Scott</div>