[Openswan Users] Two networks using PSK as roadwarriors

Daniel Fenert daniel at fenert.net
Wed Apr 19 15:58:22 CEST 2006 

My config:
--- cut ---
conn roadwarrior-a-psk
        type=tunnel
        authby=secret
        left=MYIP
        leftnexthop=MYRTR
        leftsubnet=192.168.0.0/16
        right=0.0.0.0
        rightsubnet=192.168.22.0/24
        auto=add
        pfs=no
        keyingtries=3

conn rp3-psk
        type=tunnel
        authby=secret
        left=MYIP
        leftnexthop=MYRTR
        leftsubnet=192.168.0.0/16
        right=0.0.0.0
        rightsubnet=192.168.3.0/24
        auto=add
        pfs=no
	keyingtries=3

[... other connections using rsasig ]
--- cut ---

Both networks are using the same PSK, but first network never gets connected,
here's the log:

--- cut ---
Mar 26 11:34:23 rimmon pluto[14730]: "rp3-psk"[50157] DYNAMIC_IP #69901: responding to Main Mode from unknown peer DYNAMIC_IP
Mar 26 11:34:23 rimmon pluto[14730]: "rp3-psk"[50157] DYNAMIC_IP #69901: transition from state (null) to state STATE_MAIN_R1
Mar 26 11:34:23 rimmon pluto[14730]: "rp3-psk"[50157] DYNAMIC_IP #69901: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Mar 26 11:34:24 rimmon pluto[14730]: "rp3-psk"[50157] DYNAMIC_IP #69901: Main mode peer ID is ID_IPV4_ADDR: 'DYNAMIC_IP'
Mar 26 11:34:24 rimmon pluto[14730]: "rp3-psk"[50157] DYNAMIC_IP #69901: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Mar 26 11:34:24 rimmon pluto[14730]: "rp3-psk"[50157] DYNAMIC_IP #69901: sent MR3, ISAKMP SA established
Mar 26 11:34:24 rimmon pluto[14730]: "rp3-psk"[50157] DYNAMIC_IP #69901: cannot respond to IPsec SA request because no connection is known for 192.168.0.0/16===MY_IP...DYNAMIC_IP===192.168.22.0/24
Mar 26 11:34:24 rimmon pluto[14730]: "rp3-psk"[50157] DYNAMIC_IP #69901: sending encrypted notification INVALID_ID_INFORMATION to DYNAMIC_IP:500
Mar 26 11:34:27 rimmon pluto[14730]: "rp3-psk"[50157] DYNAMIC_IP #69901: received Delete SA payload: deleting ISAKMP State #69901
Mar 26 11:34:27 rimmon pluto[14730]: "rp3-psk"[50157] DYNAMIC_IP: deleting connection "rp3-psk" instance with peer DYNAMIC_IP
--- cut ---

I've thought about setting different PSK's, but both networks have 
dynamic ip addresses (changed daily) from the same network.

Any ides how to solve the problem? I cannot use rsasig for these 2 connections
because both roadwarriors use some small hardware routers where PSK is the 
only option.

-- 
Daniel Fenert                        --==> daniel at fenert.pl <==--

More information about the Users mailing list