[Openswan Users] Multiple connection problems
ilia.sotnikov at asstra.by
ilia.sotnikov at asstra.by
Fri Jun 24 13:57:51 CEST 2005
Does each VPN client has its own certificate with unique DN? *swan has
'unique_ids' option which is on by default meaning that when 2nd client
with the same ID will connect 1st connection will be shutdown. You could
try to switch off that option and see what will happen.
Ilia Sotnikov <ilia.sotnikov at asstra.by>
Oliver Tomkins <oliver.tomkins at alliedvehicles.co.uk>
Sent by: users-bounces at openswan.org
24.06.2005 11:56
To: users at openswan.org
cc:
Subject: Re: [Openswan Users] Multiple connection problems
Thanks for the response! much appreciated.
> What about /var/log/secure on the Openswan box? Are there any error
> messages?
The log looks fairly normal. We see the certificate exchange and traffic
across the ipsec interface. No error messages as far as I can tell.
Jun 24 09:46:01 mini pluto[9882]: packet from XXX.XXX.XX.XXX:500:
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000002]
Jun 24 09:46:01 mini pluto[9882]: packet from XXX.XXX.XX.XXX:500:
ignoring Vendor ID payload [FRAGMENTATION]
Jun 24 09:46:01 mini pluto[9882]: packet from XXX.XXX.XX.XXX:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
meth=106, but port floating is off
Jun 24 09:46:01 mini pluto[9882]: "vpn"[43] XXX.XXX.XX.XXX #43:
responding to Main Mode from unknown peer XXX.XXX.XX.XXX
Jun 24 09:46:01 mini pluto[9882]: "vpn"[43] XXX.XXX.XX.XXX #43:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jun 24 09:46:01 mini pluto[9882]: "vpn"[43] XXX.XXX.XX.XXX #43:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jun 24 09:46:02 mini pluto[9882]: "vpn"[43] XXX.XXX.XX.XXX #43: Main
mode peer ID is ID_DER_ASN1_DN: 'C=GB, L=Glasgow, O=Allie
d Vehicles Ltd, OU=Information Technology Dept,
CN=exige.alliedvehicles.co.uk, E=it at alliedvehicles.co.uk'
Jun 24 09:46:02 mini pluto[9882]: "vpn"[44] XXX.XXX.XX.XXX #43: deleting
connection "vpn" instance with peer XXX.XXX.XX.XXX {i
sakmp=#0/ipsec=#0}
Jun 24 09:46:02 mini pluto[9882]: "vpn"[44] XXX.XXX.XX.XXX #43: I am
sending my cert
Jun 24 09:46:02 mini pluto[9882]: "vpn"[44] XXX.XXX.XX.XXX #43:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Jun 24 09:46:02 mini pluto[9882]: "vpn"[44] XXX.XXX.XX.XXX #43: sent
MR3, ISAKMP SA established
Jun 24 09:46:03 mini pluto[9882]: "vpn"[44] XXX.XXX.XX.XXX #43:
retransmitting in response to duplicate packet; already STATE_
MAIN_R3
Jun 24 09:46:03 mini pluto[9882]: "vpn"[44] XXX.XXX.XX.XXX #44:
responding to Quick Mode
Jun 24 09:46:03 mini pluto[9882]: "vpn"[44] XXX.XXX.XX.XXX #44:
transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Jun 24 09:46:03 mini pluto[9882]: "vpn"[44] XXX.XXX.XX.XXX #44:
transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Jun 24 09:46:03 mini pluto[9882]: "vpn"[44] XXX.XXX.XX.XXX #44: IPsec SA
established {ESP=>0x08859f71 <0x5a4cafed}
Jun 24 09:46:39 mini pluto[9882]: "vpn"[44] XXX.XXX.XX.XXX #43: received
Delete SA(0x08859f71) payload: deleting IPSEC State #
44
Jun 24 09:46:39 mini pluto[9882]: "vpn"[44] XXX.XXX.XX.XXX #43: received
and ignored informational message
Jun 24 09:46:39 mini pluto[9882]: "vpn"[44] XXX.XXX.XX.XXX #43: received
Delete SA payload: deleting ISAKMP State #43
Jun 24 09:46:39 mini pluto[9882]: "vpn"[44] XXX.XXX.XX.XXX: deleting
connection "vpn" instance with peer XXX.XXX.XX.XXX {isakm
p=#0/ipsec=#0}
Jun 24 09:46:39 mini pluto[9882]: packet from XXX.XXX.XX.XXX:500:
received and ignored informational message
> Can you post your ipsec.conf? Are you using separate
> connection sections for your clients?
ipsec.conf
# basic configuration
config setup
# Add connections here
conn vpn
type=transport
pfs=no
compress=yes
auto=add
left=%defaultroute
leftrsasigkey=%cert
leftcert=ipsec.domain.co.uk.pem
leftprotoport=17/1701
right=%any
rightrsasigkey=%cert
rightprotoport=17/1701
include /etc/ipsec.d/examples/no_oe.conf
Only one connection for both clients - is this a problem?
> Is that firewall doing NAT, by any chance? Multiple clients behind
> the same NAT router are currently not supported.
>
The firewall is not not doing NAT.
Thanks,
Olly.
The information in this e-mail is confidential. The contents may not be
disclosed or used by anyone other than the addressee. If you are not the
intended recipient, please notify the sender immediately by reply e-mail
and delete this message. Allied Vehicles cannot accept any responsibility
for the accuracy or completeness of this message as it has been
transmitted over a public network.
For details of our products and services please visit our website at
www.alliedvehicles.co.uk
_______________________________________________
Users mailing list
Users at openswan.org
http://lists.openswan.org/mailman/listinfo/users
More information about the Users
mailing list