[Openswan Users] multiple ipsec interface issue - any ideas?

[Ryley Breiddal]

Martin Glazer wrote:
> I'm running OpenSwan 1.0.9 on a firewall with 2 internet connections
> - one being the default route (eth1) and the other (eth0)
> specifically for traffic to a single application provider.
> 
> Openswan is setup on the default interface (eth1) and works perfectly
> using certificates and roadwarrior connections - this is ipsec0
> 
> I am trying to setup Openswan on the second interface (eth0) as well
> and have designated this as ipsec1.
> 
> The issue I am having is that all vpn connections to ipsec1 do not
> complete - they all stop at
> "transition from state (null) to state STATE_MAIN_R1 "
> and then nothing else.
> 
> I have checked the firewall rules (and even disabled the firewall
> completely) and there is nothing there preventing IKE packets.
> 
> When running tcpdump on both interfaces, I see the original IKE
> request come in on the correct interface (eth0/ipsec1), but outgoing
> replies are on the default route interface (eth1/ipsec0).
> 
> Anybody have any ideas on solving this or can explain why it is
> happening? 

This may be too simple, but it sounds an awful lot like a routing issue.
If you look at your routing table, do you have a route via eth0 back to
the source of the original IKE request?  Is it above any route via
ipsec1?

Generally, you should have a routing table like this:
<ip of application> dev eth0
<ip of application> dev ipsec1
<assorted RWs> via <default gateway> dev ipsec0
<subnet of gateway> dev eth1
default via <gateway> dev eth1

Regards,


Ryley Breiddal
PresiNET Systems