[Openswan Users] Problem with 2 tunnels between Openswan and Windows

lux openswan at iotti.biz
Wed Mar 16 01:01:06 CET 2005


I am trying to set up an IPSec access between Windows (road warrior) and a Linux
gateway with Openswan.

My setup (the public IP addresses were changed with IPs from the 10.0.0.0 and
172.16.0.0 private networks):

     192.168.1.254   10.0.0.2
                =======                                      ===================
LAN-------------GATEWAY==================IPSec tunnel========Windows roadwarrior
                =======                                      ===================
                   | 192.168.100.254
                   |
                   |
                   |
                   |
                  DMZ


On the gateway I have Fedora Core 3 with Openswan 2.3.0, native IPSec.

As long as I use only one tunnel of the 3 defined (for example I ping the
gateway on 10.0.0.2), everything seems to work fine.
But when the second tunnel comes up (for example I ping 192.168.100.254), the
first tunnel is shut down. After a while (seconds) the second tunnel is shut
down, and the first returns up. After another while, the first goes down and
the second comes up and so on. After some of this transitions, the second
tunnel (the one to the dmz, for example) stays up and the first stays down.
It seems that there can be only one tunnel at a time between the road warrior pc
and 10.0.0.2.
Is this a real limitation? Can I circumvent it?

The config is:

config setup
        nat_traversal=yes
       
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.2.0/24,%v4:!192.168.15.128/25

conn %default
        keyingtries=1
        compress=no
        authby=rsasig
        leftrsasigkey=%cert
        rightrsasigkey=%cert

conn roadwarrior-net
        leftsubnet=192.168.1.0/255.255.255.0
        also=roadwarrior

conn roadwarrior-dmz
        leftsubnet=192.168.100.0/24
        also=roadwarrior

conn roadwarrior
        left=10.0.0.2
        leftcert=server.pem
        leftnexthop=10.0.0.1
        right=%any
        rightsubnet=vhost:%no,%priv
        rightcert=lux.pem
        auto=add
        pfs=yes

#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf



On the Windows machine I have Windows 2000 . I'm usign the ipsec.exe utility
from Marcus Mueller, with the following config:

conn roadwarrior
	left=%any
	right=10.0.0.2
	rightca="C=IT,S=XX,L=XXXXXX,O=Company inc.,CN=Company inc.
CA,Email=info at domain.com"
	network=auto
	auto=start
	pfs=yes

conn dmz
	left=%any
	right=10.0.0.2
	rightsubnet=192.168.100.0/255.255.255.0
	rightca="C=IT,S=XX,L=XXXXXX,O=Company inc.,CN=Company inc.
CA,Email=info at domain.com"
	network=auto
	auto=start
	pfs=yes

conn net
	left=%any
	right=10.0.0.2
	rightsubnet=192.168.1.0/255.255.255.0
	rightca="C=IT,S=XX,L=XXXXXX,O=Company inc.,CN=Company inc.
CA,Email=info at domain.com"
	network=auto
	auto=start
	pfs=yes

I also tried using Windows XP SP2 (updated ipseccmd.exe) with the same results.

Here is the pluto log (notice the "deleting" and "SA established" lines):

Mar 15 11:08:57 mail pluto[24382]: packet from 172.16.1.1:500: ignoring Vendor
ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Mar 15 11:08:57 mail pluto[24382]: packet from 172.16.1.1:500: ignoring Vendor
ID payload [FRAGMENTATION]
Mar 15 11:08:57 mail pluto[24382]: packet from 172.16.1.1:500: received Vendor
ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
Mar 15 11:08:57 mail pluto[24382]: packet from 172.16.1.1:500: ignoring Vendor
ID payload [Vid-Initial-Contact]
Mar 15 11:08:57 mail pluto[24382]: "roadwarrior"[1] 172.16.1.1 #1: responding to
Main Mode from unknown peer 172.16.1.1
Mar 15 11:08:57 mail pluto[24382]: "roadwarrior"[1] 172.16.1.1 #1: transition
from state STATE_MAIN_R0 to state STATE_MAIN_R1
Mar 15 11:08:57 mail pluto[24382]: "roadwarrior"[1] 172.16.1.1 #1:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
Mar 15 11:08:57 mail pluto[24382]: "roadwarrior"[1] 172.16.1.1 #1: transition
from state STATE_MAIN_R1 to state STATE_MAIN_R2
Mar 15 11:08:58 mail pluto[24382]: "roadwarrior"[1] 172.16.1.1 #1: Main mode
peer ID is ID_DER_ASN1_DN: 'C=IT, ST=XX, L=XXXXXX, O=Company inc., CN=lux,
E=info at domain.com'
Mar 15 11:08:58 mail pluto[24382]: "roadwarrior"[1] 172.16.1.1 #1: I am sending
my cert
Mar 15 11:08:58 mail pluto[24382]: "roadwarrior"[1] 172.16.1.1 #1: transition
from state STATE_MAIN_R2 to state STATE_MAIN_R3
Mar 15 11:08:58 mail pluto[24382]: | NAT-T: new mapping 172.16.1.1:500/33863)
Mar 15 11:08:58 mail pluto[24382]: "roadwarrior"[1] 172.16.1.1:33863 #1: sent
MR3, ISAKMP SA established
Mar 15 11:08:58 mail pluto[24382]: "roadwarrior"[1] 172.16.1.1:33863 #2:
responding to Quick Mode
Mar 15 11:08:58 mail pluto[24382]: "roadwarrior"[1] 172.16.1.1:33863 #2:
transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Mar 15 11:08:58 mail pluto[24382]: "roadwarrior"[1] 172.16.1.1:33863 #2:
transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Mar 15 11:08:58 mail pluto[24382]: "roadwarrior"[1] 172.16.1.1:33863 #2: IPsec
SA established {ESP/NAT=>0xf7cae962 <0x78e24bfd NATOA=0.0.0.0}
Mar 15 11:09:30 mail pluto[24382]: packet from 172.16.1.1:500: ignoring Vendor
ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Mar 15 11:09:30 mail pluto[24382]: packet from 172.16.1.1:500: ignoring Vendor
ID payload [FRAGMENTATION]
Mar 15 11:09:30 mail pluto[24382]: packet from 172.16.1.1:500: received Vendor
ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
Mar 15 11:09:30 mail pluto[24382]: packet from 172.16.1.1:500: ignoring Vendor
ID payload [Vid-Initial-Contact]
Mar 15 11:09:30 mail pluto[24382]: "roadwarrior"[2] 172.16.1.1 #3: responding to
Main Mode from unknown peer 172.16.1.1
Mar 15 11:09:30 mail pluto[24382]: "roadwarrior"[2] 172.16.1.1 #3: transition
from state STATE_MAIN_R0 to state STATE_MAIN_R1
Mar 15 11:09:30 mail pluto[24382]: "roadwarrior"[2] 172.16.1.1 #3:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
Mar 15 11:09:30 mail pluto[24382]: "roadwarrior"[2] 172.16.1.1 #3: transition
from state STATE_MAIN_R1 to state STATE_MAIN_R2
Mar 15 11:09:31 mail pluto[24382]: "roadwarrior"[2] 172.16.1.1 #3: Main mode
peer ID is ID_DER_ASN1_DN: 'C=IT, ST=XX, L=XXXXXX, O=Company inc., CN=lux,
E=info at domain.com'
Mar 15 11:09:31 mail pluto[24382]: "roadwarrior"[2] 172.16.1.1 #3: I am sending
my cert
Mar 15 11:09:31 mail pluto[24382]: "roadwarrior"[2] 172.16.1.1 #3: deleting
connection "roadwarrior" instance with peer 172.16.1.1 {isakmp=#1/ipsec=#2}
Mar 15 11:09:31 mail pluto[24382]: "roadwarrior" #2: deleting state
(STATE_QUICK_R2)
Mar 15 11:09:31 mail pluto[24382]: "roadwarrior" #1: deleting state
(STATE_MAIN_R3)
Mar 15 11:09:31 mail pluto[24382]: "roadwarrior"[2] 172.16.1.1 #3: transition
from state STATE_MAIN_R2 to state STATE_MAIN_R3
Mar 15 11:09:31 mail pluto[24382]: | NAT-T: new mapping 172.16.1.1:500/33863)
Mar 15 11:09:31 mail pluto[24382]: "roadwarrior"[2] 172.16.1.1:33863 #3: sent
MR3, ISAKMP SA established
Mar 15 11:09:31 mail pluto[24382]: "roadwarrior-dmz"[1] 172.16.1.1:33863 #4:
responding to Quick Mode
Mar 15 11:09:31 mail pluto[24382]: "roadwarrior-dmz"[1] 172.16.1.1:33863 #4:
transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Mar 15 11:09:31 mail pluto[24382]: "roadwarrior-dmz"[1] 172.16.1.1:33863 #4:
transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Mar 15 11:09:31 mail pluto[24382]: "roadwarrior-dmz"[1] 172.16.1.1:33863 #4:
IPsec SA established {ESP/NAT=>0xeddfcd30 <0x421c2a0c NATOA=0.0.0.0}
Mar 15 11:11:13 mail pluto[24382]: "roadwarrior"[2] 172.16.1.1:33863 #3:
received Delete SA payload: deleting ISAKMP State #3
Mar 15 11:11:13 mail pluto[24382]: "roadwarrior"[2] 172.16.1.1:33863: deleting
connection "roadwarrior" instance with peer 172.16.1.1 {isakmp=#0/ipsec=#0}
Mar 15 11:11:13 mail pluto[24382]: packet from 172.16.1.1:33863: received and
ignored informational message
Mar 15 11:11:24 mail pluto[24382]: packet from 172.16.1.1:500: ignoring Vendor
ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Mar 15 11:11:24 mail pluto[24382]: packet from 172.16.1.1:500: ignoring Vendor
ID payload [FRAGMENTATION]
Mar 15 11:11:24 mail pluto[24382]: packet from 172.16.1.1:500: received Vendor
ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
Mar 15 11:11:24 mail pluto[24382]: packet from 172.16.1.1:500: ignoring Vendor
ID payload [Vid-Initial-Contact]
Mar 15 11:11:24 mail pluto[24382]: "roadwarrior"[3] 172.16.1.1 #5: responding to
Main Mode from unknown peer 172.16.1.1
Mar 15 11:11:24 mail pluto[24382]: "roadwarrior"[3] 172.16.1.1 #5: transition
from state STATE_MAIN_R0 to state STATE_MAIN_R1
Mar 15 11:11:24 mail pluto[24382]: "roadwarrior"[3] 172.16.1.1 #5:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
Mar 15 11:11:24 mail pluto[24382]: "roadwarrior"[3] 172.16.1.1 #5: transition
from state STATE_MAIN_R1 to state STATE_MAIN_R2
Mar 15 11:11:24 mail pluto[24382]: "roadwarrior"[3] 172.16.1.1 #5: Main mode
peer ID is ID_DER_ASN1_DN: 'C=IT, ST=XX, L=XXXXXX, O=Company inc., CN=lux,
E=info at domain.com'
Mar 15 11:11:24 mail pluto[24382]: "roadwarrior"[3] 172.16.1.1 #5: I am sending
my cert
Mar 15 11:11:24 mail pluto[24382]: "roadwarrior"[3] 172.16.1.1 #5: deleting
connection "roadwarrior-dmz" instance with peer 172.16.1.1 {isakmp=#0/ipsec=#4}
Mar 15 11:11:24 mail pluto[24382]: "roadwarrior-dmz" #4: deleting state
(STATE_QUICK_R2)
Mar 15 11:11:24 mail pluto[24382]: "roadwarrior"[3] 172.16.1.1 #5: transition
from state STATE_MAIN_R2 to state STATE_MAIN_R3
Mar 15 11:11:24 mail pluto[24382]: | NAT-T: new mapping 172.16.1.1:500/33863)
Mar 15 11:11:24 mail pluto[24382]: "roadwarrior"[3] 172.16.1.1:33863 #5: sent
MR3, ISAKMP SA established
Mar 15 11:11:25 mail pluto[24382]: "roadwarrior"[3] 172.16.1.1:33863 #6:
responding to Quick Mode
Mar 15 11:11:25 mail pluto[24382]: "roadwarrior"[3] 172.16.1.1:33863 #6:
transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Mar 15 11:11:26 mail pluto[24382]: "roadwarrior"[3] 172.16.1.1:33863 #6:
transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Mar 15 11:11:26 mail pluto[24382]: "roadwarrior"[3] 172.16.1.1:33863 #6: IPsec
SA established {ESP/NAT=>0xbe59a09f <0x25de535f NATOA=0.0.0.0}


More information about the Users mailing list