[Openswan Users]
Problem with 2 tunnels between Openswan and Windows
lux
openswan at iotti.biz
Wed Mar 16 01:01:06 CET 2005
I am trying to set up an IPSec access between Windows (road warrior) and a Linux
gateway with Openswan.
My setup (the public IP addresses were changed with IPs from the 10.0.0.0 and
172.16.0.0 private networks):
192.168.1.254 10.0.0.2
======= ===================
LAN-------------GATEWAY==================IPSec tunnel========Windows roadwarrior
======= ===================
| 192.168.100.254
|
|
|
|
DMZ
On the gateway I have Fedora Core 3 with Openswan 2.3.0, native IPSec.
As long as I use only one tunnel of the 3 defined (for example I ping the
gateway on 10.0.0.2), everything seems to work fine.
But when the second tunnel comes up (for example I ping 192.168.100.254), the
first tunnel is shut down. After a while (seconds) the second tunnel is shut
down, and the first returns up. After another while, the first goes down and
the second comes up and so on. After some of this transitions, the second
tunnel (the one to the dmz, for example) stays up and the first stays down.
It seems that there can be only one tunnel at a time between the road warrior pc
and 10.0.0.2.
Is this a real limitation? Can I circumvent it?
The config is:
config setup
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.2.0/24,%v4:!192.168.15.128/25
conn %default
keyingtries=1
compress=no
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert
conn roadwarrior-net
leftsubnet=192.168.1.0/255.255.255.0
also=roadwarrior
conn roadwarrior-dmz
leftsubnet=192.168.100.0/24
also=roadwarrior
conn roadwarrior
left=10.0.0.2
leftcert=server.pem
leftnexthop=10.0.0.1
right=%any
rightsubnet=vhost:%no,%priv
rightcert=lux.pem
auto=add
pfs=yes
#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf
On the Windows machine I have Windows 2000 . I'm usign the ipsec.exe utility
from Marcus Mueller, with the following config:
conn roadwarrior
left=%any
right=10.0.0.2
rightca="C=IT,S=XX,L=XXXXXX,O=Company inc.,CN=Company inc.
CA,Email=info at domain.com"
network=auto
auto=start
pfs=yes
conn dmz
left=%any
right=10.0.0.2
rightsubnet=192.168.100.0/255.255.255.0
rightca="C=IT,S=XX,L=XXXXXX,O=Company inc.,CN=Company inc.
CA,Email=info at domain.com"
network=auto
auto=start
pfs=yes
conn net
left=%any
right=10.0.0.2
rightsubnet=192.168.1.0/255.255.255.0
rightca="C=IT,S=XX,L=XXXXXX,O=Company inc.,CN=Company inc.
CA,Email=info at domain.com"
network=auto
auto=start
pfs=yes
I also tried using Windows XP SP2 (updated ipseccmd.exe) with the same results.
Here is the pluto log (notice the "deleting" and "SA established" lines):
Mar 15 11:08:57 mail pluto[24382]: packet from 172.16.1.1:500: ignoring Vendor
ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Mar 15 11:08:57 mail pluto[24382]: packet from 172.16.1.1:500: ignoring Vendor
ID payload [FRAGMENTATION]
Mar 15 11:08:57 mail pluto[24382]: packet from 172.16.1.1:500: received Vendor
ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
Mar 15 11:08:57 mail pluto[24382]: packet from 172.16.1.1:500: ignoring Vendor
ID payload [Vid-Initial-Contact]
Mar 15 11:08:57 mail pluto[24382]: "roadwarrior"[1] 172.16.1.1 #1: responding to
Main Mode from unknown peer 172.16.1.1
Mar 15 11:08:57 mail pluto[24382]: "roadwarrior"[1] 172.16.1.1 #1: transition
from state STATE_MAIN_R0 to state STATE_MAIN_R1
Mar 15 11:08:57 mail pluto[24382]: "roadwarrior"[1] 172.16.1.1 #1:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
Mar 15 11:08:57 mail pluto[24382]: "roadwarrior"[1] 172.16.1.1 #1: transition
from state STATE_MAIN_R1 to state STATE_MAIN_R2
Mar 15 11:08:58 mail pluto[24382]: "roadwarrior"[1] 172.16.1.1 #1: Main mode
peer ID is ID_DER_ASN1_DN: 'C=IT, ST=XX, L=XXXXXX, O=Company inc., CN=lux,
E=info at domain.com'
Mar 15 11:08:58 mail pluto[24382]: "roadwarrior"[1] 172.16.1.1 #1: I am sending
my cert
Mar 15 11:08:58 mail pluto[24382]: "roadwarrior"[1] 172.16.1.1 #1: transition
from state STATE_MAIN_R2 to state STATE_MAIN_R3
Mar 15 11:08:58 mail pluto[24382]: | NAT-T: new mapping 172.16.1.1:500/33863)
Mar 15 11:08:58 mail pluto[24382]: "roadwarrior"[1] 172.16.1.1:33863 #1: sent
MR3, ISAKMP SA established
Mar 15 11:08:58 mail pluto[24382]: "roadwarrior"[1] 172.16.1.1:33863 #2:
responding to Quick Mode
Mar 15 11:08:58 mail pluto[24382]: "roadwarrior"[1] 172.16.1.1:33863 #2:
transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Mar 15 11:08:58 mail pluto[24382]: "roadwarrior"[1] 172.16.1.1:33863 #2:
transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Mar 15 11:08:58 mail pluto[24382]: "roadwarrior"[1] 172.16.1.1:33863 #2: IPsec
SA established {ESP/NAT=>0xf7cae962 <0x78e24bfd NATOA=0.0.0.0}
Mar 15 11:09:30 mail pluto[24382]: packet from 172.16.1.1:500: ignoring Vendor
ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Mar 15 11:09:30 mail pluto[24382]: packet from 172.16.1.1:500: ignoring Vendor
ID payload [FRAGMENTATION]
Mar 15 11:09:30 mail pluto[24382]: packet from 172.16.1.1:500: received Vendor
ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
Mar 15 11:09:30 mail pluto[24382]: packet from 172.16.1.1:500: ignoring Vendor
ID payload [Vid-Initial-Contact]
Mar 15 11:09:30 mail pluto[24382]: "roadwarrior"[2] 172.16.1.1 #3: responding to
Main Mode from unknown peer 172.16.1.1
Mar 15 11:09:30 mail pluto[24382]: "roadwarrior"[2] 172.16.1.1 #3: transition
from state STATE_MAIN_R0 to state STATE_MAIN_R1
Mar 15 11:09:30 mail pluto[24382]: "roadwarrior"[2] 172.16.1.1 #3:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
Mar 15 11:09:30 mail pluto[24382]: "roadwarrior"[2] 172.16.1.1 #3: transition
from state STATE_MAIN_R1 to state STATE_MAIN_R2
Mar 15 11:09:31 mail pluto[24382]: "roadwarrior"[2] 172.16.1.1 #3: Main mode
peer ID is ID_DER_ASN1_DN: 'C=IT, ST=XX, L=XXXXXX, O=Company inc., CN=lux,
E=info at domain.com'
Mar 15 11:09:31 mail pluto[24382]: "roadwarrior"[2] 172.16.1.1 #3: I am sending
my cert
Mar 15 11:09:31 mail pluto[24382]: "roadwarrior"[2] 172.16.1.1 #3: deleting
connection "roadwarrior" instance with peer 172.16.1.1 {isakmp=#1/ipsec=#2}
Mar 15 11:09:31 mail pluto[24382]: "roadwarrior" #2: deleting state
(STATE_QUICK_R2)
Mar 15 11:09:31 mail pluto[24382]: "roadwarrior" #1: deleting state
(STATE_MAIN_R3)
Mar 15 11:09:31 mail pluto[24382]: "roadwarrior"[2] 172.16.1.1 #3: transition
from state STATE_MAIN_R2 to state STATE_MAIN_R3
Mar 15 11:09:31 mail pluto[24382]: | NAT-T: new mapping 172.16.1.1:500/33863)
Mar 15 11:09:31 mail pluto[24382]: "roadwarrior"[2] 172.16.1.1:33863 #3: sent
MR3, ISAKMP SA established
Mar 15 11:09:31 mail pluto[24382]: "roadwarrior-dmz"[1] 172.16.1.1:33863 #4:
responding to Quick Mode
Mar 15 11:09:31 mail pluto[24382]: "roadwarrior-dmz"[1] 172.16.1.1:33863 #4:
transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Mar 15 11:09:31 mail pluto[24382]: "roadwarrior-dmz"[1] 172.16.1.1:33863 #4:
transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Mar 15 11:09:31 mail pluto[24382]: "roadwarrior-dmz"[1] 172.16.1.1:33863 #4:
IPsec SA established {ESP/NAT=>0xeddfcd30 <0x421c2a0c NATOA=0.0.0.0}
Mar 15 11:11:13 mail pluto[24382]: "roadwarrior"[2] 172.16.1.1:33863 #3:
received Delete SA payload: deleting ISAKMP State #3
Mar 15 11:11:13 mail pluto[24382]: "roadwarrior"[2] 172.16.1.1:33863: deleting
connection "roadwarrior" instance with peer 172.16.1.1 {isakmp=#0/ipsec=#0}
Mar 15 11:11:13 mail pluto[24382]: packet from 172.16.1.1:33863: received and
ignored informational message
Mar 15 11:11:24 mail pluto[24382]: packet from 172.16.1.1:500: ignoring Vendor
ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Mar 15 11:11:24 mail pluto[24382]: packet from 172.16.1.1:500: ignoring Vendor
ID payload [FRAGMENTATION]
Mar 15 11:11:24 mail pluto[24382]: packet from 172.16.1.1:500: received Vendor
ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
Mar 15 11:11:24 mail pluto[24382]: packet from 172.16.1.1:500: ignoring Vendor
ID payload [Vid-Initial-Contact]
Mar 15 11:11:24 mail pluto[24382]: "roadwarrior"[3] 172.16.1.1 #5: responding to
Main Mode from unknown peer 172.16.1.1
Mar 15 11:11:24 mail pluto[24382]: "roadwarrior"[3] 172.16.1.1 #5: transition
from state STATE_MAIN_R0 to state STATE_MAIN_R1
Mar 15 11:11:24 mail pluto[24382]: "roadwarrior"[3] 172.16.1.1 #5:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
Mar 15 11:11:24 mail pluto[24382]: "roadwarrior"[3] 172.16.1.1 #5: transition
from state STATE_MAIN_R1 to state STATE_MAIN_R2
Mar 15 11:11:24 mail pluto[24382]: "roadwarrior"[3] 172.16.1.1 #5: Main mode
peer ID is ID_DER_ASN1_DN: 'C=IT, ST=XX, L=XXXXXX, O=Company inc., CN=lux,
E=info at domain.com'
Mar 15 11:11:24 mail pluto[24382]: "roadwarrior"[3] 172.16.1.1 #5: I am sending
my cert
Mar 15 11:11:24 mail pluto[24382]: "roadwarrior"[3] 172.16.1.1 #5: deleting
connection "roadwarrior-dmz" instance with peer 172.16.1.1 {isakmp=#0/ipsec=#4}
Mar 15 11:11:24 mail pluto[24382]: "roadwarrior-dmz" #4: deleting state
(STATE_QUICK_R2)
Mar 15 11:11:24 mail pluto[24382]: "roadwarrior"[3] 172.16.1.1 #5: transition
from state STATE_MAIN_R2 to state STATE_MAIN_R3
Mar 15 11:11:24 mail pluto[24382]: | NAT-T: new mapping 172.16.1.1:500/33863)
Mar 15 11:11:24 mail pluto[24382]: "roadwarrior"[3] 172.16.1.1:33863 #5: sent
MR3, ISAKMP SA established
Mar 15 11:11:25 mail pluto[24382]: "roadwarrior"[3] 172.16.1.1:33863 #6:
responding to Quick Mode
Mar 15 11:11:25 mail pluto[24382]: "roadwarrior"[3] 172.16.1.1:33863 #6:
transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Mar 15 11:11:26 mail pluto[24382]: "roadwarrior"[3] 172.16.1.1:33863 #6:
transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Mar 15 11:11:26 mail pluto[24382]: "roadwarrior"[3] 172.16.1.1:33863 #6: IPsec
SA established {ESP/NAT=>0xbe59a09f <0x25de535f NATOA=0.0.0.0}
More information about the Users
mailing list