[Openswan Users] Multiple connection problems

Oliver Tomkins oliver.tomkins at alliedvehicles.co.uk
Thu Jul 14 10:51:56 CEST 2005


Each Vpn client does have a unique id - i've specifed unique ids to no 
and it made no difference.

The second connection attempt does not disconnect the first either.

This may sounds really obvious but is there a way I can specify which 
connection the clients use?

I've tried adding a second connection to ipsec.conf - but 
/var/log/messages/ shows both clients trying to use the same one.

Thanks,

Olly.

ilia.sotnikov at asstra.by wrote:
> Does each VPN client has its own certificate with unique DN? *swan has 
> 'unique_ids' option which is on by default meaning that when 2nd client 
> with the same ID will connect 1st connection will be shutdown. You could 
> try to switch off that option and see what will happen.
> 
> Ilia Sotnikov <ilia.sotnikov at asstra.by>
> 
> 
> 
> 
> 
> 
> Oliver Tomkins <oliver.tomkins at alliedvehicles.co.uk>
> Sent by: users-bounces at openswan.org
> 24.06.2005 11:56
> 
>  
>         To:     users at openswan.org
>         cc: 
>         Subject:        Re: [Openswan Users] Multiple connection problems
> 
> 
> Thanks for the response! much appreciated.
> 
> 
>>What about /var/log/secure on the Openswan box? Are there any error
>>messages? 
> 
> 
> The log looks fairly normal. We see the certificate exchange and traffic 
> across the ipsec interface.  No error messages as far as I can tell.
> 
> Jun 24 09:46:01 mini pluto[9882]: packet from XXX.XXX.XX.XXX:500: 
> ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000002]
> Jun 24 09:46:01 mini pluto[9882]: packet from XXX.XXX.XX.XXX:500: 
> ignoring Vendor ID payload [FRAGMENTATION]
> Jun 24 09:46:01 mini pluto[9882]: packet from XXX.XXX.XX.XXX:500: 
> received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
>   meth=106, but port floating is off
> Jun 24 09:46:01 mini pluto[9882]: "vpn"[43] XXX.XXX.XX.XXX #43: 
> responding to Main Mode from unknown peer XXX.XXX.XX.XXX
> Jun 24 09:46:01 mini pluto[9882]: "vpn"[43] XXX.XXX.XX.XXX #43: 
> transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
> Jun 24 09:46:01 mini pluto[9882]: "vpn"[43] XXX.XXX.XX.XXX #43: 
> transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
> Jun 24 09:46:02 mini pluto[9882]: "vpn"[43] XXX.XXX.XX.XXX #43: Main 
> mode peer ID is ID_DER_ASN1_DN: 'C=GB, L=Glasgow, O=Allie
> d Vehicles Ltd, OU=Information Technology Dept, 
> CN=exige.alliedvehicles.co.uk, E=it at alliedvehicles.co.uk'
> Jun 24 09:46:02 mini pluto[9882]: "vpn"[44] XXX.XXX.XX.XXX #43: deleting 
> connection "vpn" instance with peer XXX.XXX.XX.XXX {i
> sakmp=#0/ipsec=#0}
> Jun 24 09:46:02 mini pluto[9882]: "vpn"[44] XXX.XXX.XX.XXX #43: I am 
> sending my cert
> Jun 24 09:46:02 mini pluto[9882]: "vpn"[44] XXX.XXX.XX.XXX #43: 
> transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
> Jun 24 09:46:02 mini pluto[9882]: "vpn"[44] XXX.XXX.XX.XXX #43: sent 
> MR3, ISAKMP SA established
> Jun 24 09:46:03 mini pluto[9882]: "vpn"[44] XXX.XXX.XX.XXX #43: 
> retransmitting in response to duplicate packet; already STATE_
> MAIN_R3
> Jun 24 09:46:03 mini pluto[9882]: "vpn"[44] XXX.XXX.XX.XXX #44: 
> responding to Quick Mode
> Jun 24 09:46:03 mini pluto[9882]: "vpn"[44] XXX.XXX.XX.XXX #44: 
> transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
> Jun 24 09:46:03 mini pluto[9882]: "vpn"[44] XXX.XXX.XX.XXX #44: 
> transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
> Jun 24 09:46:03 mini pluto[9882]: "vpn"[44] XXX.XXX.XX.XXX #44: IPsec SA 
> established {ESP=>0x08859f71 <0x5a4cafed}
> Jun 24 09:46:39 mini pluto[9882]: "vpn"[44] XXX.XXX.XX.XXX #43: received 
> Delete SA(0x08859f71) payload: deleting IPSEC State #
> 44
> Jun 24 09:46:39 mini pluto[9882]: "vpn"[44] XXX.XXX.XX.XXX #43: received 
> and ignored informational message
> Jun 24 09:46:39 mini pluto[9882]: "vpn"[44] XXX.XXX.XX.XXX #43: received 
> Delete SA payload: deleting ISAKMP State #43
> Jun 24 09:46:39 mini pluto[9882]: "vpn"[44] XXX.XXX.XX.XXX: deleting 
> connection "vpn" instance with peer XXX.XXX.XX.XXX {isakm
> p=#0/ipsec=#0}
> Jun 24 09:46:39 mini pluto[9882]: packet from XXX.XXX.XX.XXX:500: 
> received and ignored informational message
> 
>  > Can you post your ipsec.conf? Are you using separate
>  > connection sections for your clients?
> 
> ipsec.conf
> 
> # basic configuration
> config setup
> 
> # Add connections here
> conn vpn
>                  type=transport
>                  pfs=no
>                  compress=yes
>                  auto=add
>                  left=%defaultroute
>                  leftrsasigkey=%cert
>                  leftcert=ipsec.domain.co.uk.pem
>                  leftprotoport=17/1701
>                  right=%any
>                  rightrsasigkey=%cert
>                  rightprotoport=17/1701
> 
> include /etc/ipsec.d/examples/no_oe.conf
> 
> Only one connection for both clients - is this a problem?
> 
> 
>>Is that firewall doing NAT, by any chance? Multiple clients behind
>>the same NAT router are currently not supported.
>>
> 
> 
> The firewall is not not doing NAT.
> 
> Thanks,
> 
> Olly.
> 
> The information in this e-mail is confidential. The contents may not be 
> disclosed or used by anyone other than the addressee. If you are not the 
> intended recipient, please notify the sender immediately by reply e-mail 
> and delete this message. Allied Vehicles cannot accept any responsibility 
> for the accuracy or completeness of this message as it has been 
> transmitted over a public network.
> For details of our products and services please visit our website at 
> www.alliedvehicles.co.uk
> _______________________________________________
> Users mailing list
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> 
> 
> 
> 
> _______________________________________________
> Users mailing list
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> 

The information in this e-mail is confidential. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient, please notify the sender immediately by reply e-mail and delete this message. Allied Vehicles cannot accept any responsibility for the accuracy or completeness of this message as it has been transmitted over a public network.
For details of our products and services please visit our website at www.alliedvehicles.co.uk


More information about the Users mailing list