[Openswan Users] Multiple IPSEC SA Established on NAT-T connection to FC3 Kernel 2.6.11 and OpenSwan 2.3.1

[Pedro Carvalho]

I have recently upgraded my VPN server from RH9 to FC3 and also OpenSwan
from 2.0 to 2.3.1.

 

I am experiencing multiple tunnels established when using a roadwarrior
L2TP/IPSEC connection between a Windows XP-SP2 behind another XP-SP2
machine (using Internet Connection Sharing) connecting to a Fedora Core
3 machine (Kernel 2.6.11 Native IPSEC and Openswan 2.3.1).

 

Apparently the XP-SP2 road warrior machine does not figure out that the
first IPSEC SA was in fact established with success and keeps on trying
on new connections. After a while (4 to 10 "ipsec sa established"
latter) the XP machine gives up.

 

Ethereal does not help because apparently all packets get delivered to
the road warrior machine.

 

I have cleared all firewall rules, on the FC3 VPN server and also on
both XPSP2 machines.

 

I have also messed around with MTU on the outside interface of the VPN
Server and on the pluto updown script, without success.

 

If I replace the second XP-SP2 machine (ICS) with another FC3 machine
and that solves the problem.

 

Any ideas ?

 

Thanks in advance, 

Pedro Carvalho

 

 

PS:

 

Test scenarios:

 

XP-SP2    ->   XP-SP2 (Internet Connection Sharing)   -> FC3 OpenSwan
VPN Server       NOT OK

XP-SP2    ->   FC3 OpenSwan VPN Server       OK (of course no NAT-T)

XP-SP2    ->   FC3 NAT (Masquerade)   -> FC3 OpenSwan VPN Server
OK

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20050523/e06e1c42/attachment-0001.htm