[Openswan Users] multiple tunnels, only the first connects

[Matt Harrell]

Hello,

First, some background:  Last weekend I upgraded from Fedora Core 1 to
FC2.  I had been using FreeSWAN 2.06 successfully for months to connect to
5 tunnels (subnets) at work (I'm the firewall administrator at work, and
we use a Sidewinder G2 6.1.0.02), and 3 subnets at customer sites.

After the FC2 upgrade, FreeSWAN broke, of course,  After some research, I
learned why.  After fighting for several days to get the VPN working using
ipsec-tools (that comes with FC2), I found OpenSWAN.  I installed the RPM.
 Much to my surprise, I had some success.  I'm using my old ipsec.conf and
ipsec.secrets files from FreeSWAN 2.06 and FC2.

Now, when I try to bring up the tunnels, only the first tunnel to my work
comes up.  The rest fail (the customer VPNs all work great, but they're to
different versions of Symantec Enterprise Firewall).

On the Sidewinder G2 firewall at work, I have all 5 subnets in one VPN. 
This worked fine before the FC2 upgrade.  Something is going on with the
kernel ipsec implementation that's causing the tunnels after the first one
brought up to not work.

Based on the output from the "ipsec auto --up" commands, it appears as
though after the first tunnel, the others are not performing full
negotiations.  The first tunnel sends "STATE_MAIN" data and "STATE_QUICK".
 However, after that, the other tunnels are only sending "STATE_QUICK"
packets.

In the Sidewinder G2 audit logs, I see this:

Invalid request for QUICK_MODE exchange, no phase 1 exchange state which
matches request

It looks to me (somewhat uneducated guess) that the Linux ipsec
implementation is simply skipping the MAIN negotiation because the
destination firewall hasn't changed, and Sidewinder isn't liking this.  Is
there some way to force ipsec on Linux to not do this--to start over with
full negotiations for each tunnel?


--
Matt Harrell
http://www.mattharrell.net
matt at mattharrell.net