It was not, but I've gone and put it in and restarted ipsec now, with no noticeable change in behaviour.<div><br></div><div>Here's my config for reference sake:</div><div><br></div><div><div>config setup</div><div>
plutodebug=none</div><div> protostack=netkey</div><div> plutowait=yes</div><div> nat_traversal=no</div><div> nhelpers=0</div><div> oe=off</div><div><br></div><div>conn idc</div>
<div>
auto=start</div><div> pfs=no</div><div> authby=secret</div><div> ikev2=no</div><div> ike=aes128-sha1</div><div> phase2alg=aes128-sha1</div><div> salifetime=8h</div><div> ikelifetime=1h</div>
<div> type=tunnel</div><div> rekey=yes</div><div><br></div><div> left=89.202.x.x</div><div> leftsourceip=192.168.90.200</div><div> leftsubnet=<a href="http://192.168.90.0/24">192.168.90.0/24</a></div>
<div> right=74.115.x.x</div><div> rightsubnet=<a href="http://172.30.0.0/16">172.30.0.0/16</a></div><br><div class="gmail_quote">On Fri, Feb 4, 2011 at 3:07 PM, Paul Wouters <span dir="ltr"><<a href="mailto:paul@xelerance.com">paul@xelerance.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">On Fri, 4 Feb 2011, Scott T. Cameron wrote:<br>
<br>
Are you missing oe=off in ipsec.conf's "config setup" section?<br>
<br>
Paul<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Date: Fri, 4 Feb 2011 14:23:19 -0500<br>
From: Scott T. Cameron <<a href="mailto:routehero@gmail.com" target="_blank">routehero@gmail.com</a>><br>
To: <a href="mailto:users@openswan.org" target="_blank">users@openswan.org</a><br>
Subject: Re: [Openswan Users] Openswan 2.6.24 => Juniper SRX<div><div></div><div class="h5"><br>
<br>
I took time to upgrade today.<br>
<br>
meta:~# ipsec --version<br>
Linux Openswan U2.6.32/K2.6.24-sn (netkey)<br>
See `ipsec --copyright' for copyright information.<br>
<br>
ipsec auto --status snip:<br>
<br>
000 "idc": <a href="http://192.168.90.0/24===89.202.x.x" target="_blank">192.168.90.0/24===89.202.x.x</a><89.202.x.x>[+S=C]...74.115.x.x<74.115.x.x>[+S=C]===<a href="http://172.30.0.0/16" target="_blank">172.30.0.0/16</a>; erouted HOLD; eroute<br>
owner: #0<br>
000 "idc": myip=192.168.90.200; hisip=unset;<br>
000 "idc": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0<br>
000 "idc": policy: PSK+ENCRYPT+TUNNEL+UP+SAREFTRACK+lKOD+rKOD; prio: 24,16; interface: eth0; <br>
000 "idc": newest ISAKMP SA: #1; newest IPsec SA: #0; <br>
000 <br>
000 #37: "idc":500 STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_RETRANSMIT in 14s; lastdpd=-1s(seq in:0 out:0); idle;<br>
import:admin initiate<br>
000 #36: "idc":500 STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_RETRANSMIT in 14s; lastdpd=-1s(seq in:0 out:0); idle;<br>
import:admin initiate<br>
000 #35: "idc":500 STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_RETRANSMIT in 14s; lastdpd=-1s(seq in:0 out:0); idle;<br>
import:admin initiate<br>
000 #34: "idc":500 STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_RETRANSMIT in 14s; lastdpd=-1s(seq in:0 out:0); idle;<br>
import:admin initiate<br>
[snip]<br>
000 #1: "idc":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 2503s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0);<br>
idle; import:admin initiate<br>
<br>
<br>
syslog snip:<br>
Feb 4 20:20:53 meta pluto[29438]: initiate on demand from <a href="http://192.168.90.11:45819" target="_blank">192.168.90.11:45819</a> to <a href="http://172.30.77.45:514" target="_blank">172.30.77.45:514</a> proto=6 state: fos_start<br>
because: acquire<br>
Feb 4 20:20:53 meta pluto[29438]: "idc" #550: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP+SAREFTRACK {using isakmp#1<br>
msgid:02b0b8d6 proposal=AES(12)_128-SHA1(2)_160 pfsgroup=no-pfs}<br>
<br>
<br>
Seems to be the same issue, in general. First IPSEC tunnel goes up, but it stays in hold state and the rest of the boxes<br>
(mostly syslog) cause it to try to bring up a zillion new tunnels.<br>
Any other pointers?<br>
<br>
Scott<br>
<br>
On Fri, Jan 28, 2011 at 2:19 PM, Paul Wouters <<a href="mailto:paul@xelerance.com" target="_blank">paul@xelerance.com</a>> wrote:<br>
On Fri, 28 Jan 2011, Scott T. Cameron wrote:<br>
<br>
Subject: [Openswan Users] Openswan 2.6.24 => Juniper SRX<br>
<br>
<br>
<br>
Jan 28 19:53:24 pluto[16783]: initiate on demand from <a href="http://192.168.90.63:35718" target="_blank">192.168.90.63:35718</a> to<br>
<br>
<br>
The config is fairly basic. The initiate on demands won't stop -- it goes in to the<br>
thousands of range.<br>
<br>
<br>
v2.6.29 (September 27, 2010)<br>
<br>
* NETKEY: Fix for spurious %hold netlink-acquires [Paul/dhr]<br>
<br>
Paul<br>
<br>
<br>
<br>
<br>
</div></div></blockquote>
</blockquote></div><br></div>