[Openswan Users] Multiple connection problems

Fri Jun 24 10:56:00 CEST 2005

Thanks for the response! much appreciated.

> What about /var/log/secure on the Openswan box? Are there any error
> messages? 

The log looks fairly normal. We see the certificate exchange and traffic 
across the ipsec interface.  No error messages as far as I can tell.

Jun 24 09:46:01 mini pluto[9882]: packet from XXX.XXX.XX.XXX:500: 
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000002]
Jun 24 09:46:01 mini pluto[9882]: packet from XXX.XXX.XX.XXX:500: 
ignoring Vendor ID payload [FRAGMENTATION]
Jun 24 09:46:01 mini pluto[9882]: packet from XXX.XXX.XX.XXX:500: 
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
  meth=106, but port floating is off
Jun 24 09:46:01 mini pluto[9882]: "vpn"[43] XXX.XXX.XX.XXX #43: 
responding to Main Mode from unknown peer XXX.XXX.XX.XXX
Jun 24 09:46:01 mini pluto[9882]: "vpn"[43] XXX.XXX.XX.XXX #43: 
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jun 24 09:46:01 mini pluto[9882]: "vpn"[43] XXX.XXX.XX.XXX #43: 
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jun 24 09:46:02 mini pluto[9882]: "vpn"[43] XXX.XXX.XX.XXX #43: Main 
mode peer ID is ID_DER_ASN1_DN: 'C=GB, L=Glasgow, O=Allie
d Vehicles Ltd, OU=Information Technology Dept, 
CN=exige.alliedvehicles.co.uk, E=it at alliedvehicles.co.uk'
Jun 24 09:46:02 mini pluto[9882]: "vpn"[44] XXX.XXX.XX.XXX #43: deleting 
connection "vpn" instance with peer XXX.XXX.XX.XXX {i
sakmp=#0/ipsec=#0}
Jun 24 09:46:02 mini pluto[9882]: "vpn"[44] XXX.XXX.XX.XXX #43: I am 
sending my cert
Jun 24 09:46:02 mini pluto[9882]: "vpn"[44] XXX.XXX.XX.XXX #43: 
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Jun 24 09:46:02 mini pluto[9882]: "vpn"[44] XXX.XXX.XX.XXX #43: sent 
MR3, ISAKMP SA established
Jun 24 09:46:03 mini pluto[9882]: "vpn"[44] XXX.XXX.XX.XXX #43: 
retransmitting in response to duplicate packet; already STATE_
MAIN_R3
Jun 24 09:46:03 mini pluto[9882]: "vpn"[44] XXX.XXX.XX.XXX #44: 
responding to Quick Mode
Jun 24 09:46:03 mini pluto[9882]: "vpn"[44] XXX.XXX.XX.XXX #44: 
transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Jun 24 09:46:03 mini pluto[9882]: "vpn"[44] XXX.XXX.XX.XXX #44: 
transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Jun 24 09:46:03 mini pluto[9882]: "vpn"[44] XXX.XXX.XX.XXX #44: IPsec SA 
established {ESP=>0x08859f71 <0x5a4cafed}
Jun 24 09:46:39 mini pluto[9882]: "vpn"[44] XXX.XXX.XX.XXX #43: received 
Delete SA(0x08859f71) payload: deleting IPSEC State #
44
Jun 24 09:46:39 mini pluto[9882]: "vpn"[44] XXX.XXX.XX.XXX #43: received 
and ignored informational message
Jun 24 09:46:39 mini pluto[9882]: "vpn"[44] XXX.XXX.XX.XXX #43: received 
Delete SA payload: deleting ISAKMP State #43
Jun 24 09:46:39 mini pluto[9882]: "vpn"[44] XXX.XXX.XX.XXX: deleting 
connection "vpn" instance with peer XXX.XXX.XX.XXX {isakm
p=#0/ipsec=#0}
Jun 24 09:46:39 mini pluto[9882]: packet from XXX.XXX.XX.XXX:500: 
received and ignored informational message

 > Can you post your ipsec.conf? Are you using separate
 > connection sections for your clients?

ipsec.conf

# basic configuration
config setup

# Add connections here
conn vpn
                 type=transport
                 pfs=no
                 compress=yes
                 auto=add
                 left=%defaultroute
                 leftrsasigkey=%cert
                 leftcert=ipsec.domain.co.uk.pem
                 leftprotoport=17/1701
                 right=%any
                 rightrsasigkey=%cert
                 rightprotoport=17/1701

include /etc/ipsec.d/examples/no_oe.conf

Only one connection for both clients - is this a problem?

> Is that firewall doing NAT, by any chance? Multiple clients behind
> the same NAT router are currently not supported.
> 

The firewall is not not doing NAT.

Thanks,

Olly.

The information in this e-mail is confidential. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient, please notify the sender immediately by reply e-mail and delete this message. Allied Vehicles cannot accept any responsibility for the accuracy or completeness of this message as it has been transmitted over a public network.
For details of our products and services please visit our website at www.alliedvehicles.co.uk