[Openswan Users] Multiple tunnels causes INVALID_SPI error
Thomas Novin
thnov at xyz.pp.se
Tue Apr 10 04:03:42 EDT 2007
Hi all
After "some" problems I eventually managed to get my IPSEC VPN
connection from my Ubuntu/Openswan 2.4.6-client to my Fortigate
FGT-100/FortiOS 3.0 server.
If I have only one connection added, everything works fine and is
stable. But when I tried to add another network that should be tunneled
(actually, a whole new connection) they seem to disturb each other.
Fortigate:
Two policies referring to the same P1 IPSEC connection
Client:
conn work
auto=add
left=10.0.0.58
leftsubnet=10.0.0.0/24
leftnexthop=10.0.0.254
leftid=@work
right=<fortigate wan>
rightsubnet=<fortigate lan>
rightid=%any
keyingtries=0
pfs=yes
auth=esp
authby=secret
esp=3des
conn work-othernet
auto=add
left=10.0.0.58
leftsubnet=10.0.0.0/24
leftnexthop=10.0.0.254
leftid=@work-othernet
right=<fortigate wan>
rightsubnet=<my other subnet>
rightid=%any
keyingtries=0
pfs=yes
auth=esp
authby=secret
esp=3des
The log message:
Apr 5 09:22:04 localhost pluto[10859]: | processing connection work
Apr 5 09:22:04 localhost pluto[10859]: | ***parse ISAKMP Hash Payload:
Apr 5 09:22:04 localhost pluto[10859]: | next payload type:
ISAKMP_NEXT_N
Apr 5 09:22:04 localhost pluto[10859]: | length: 20
Apr 5 09:22:04 localhost pluto[10859]: | ***parse ISAKMP Notification
Payload:
Apr 5 09:22:04 localhost pluto[10859]: | next payload type:
ISAKMP_NEXT_NONE
Apr 5 09:22:04 localhost pluto[10859]: | length: 16
Apr 5 09:22:04 localhost pluto[10859]: | DOI: ISAKMP_DOI_IPSEC
Apr 5 09:22:04 localhost pluto[10859]: | protocol ID: 3
Apr 5 09:22:04 localhost pluto[10859]: | SPI size: 4
Apr 5 09:22:04 localhost pluto[10859]: | Notify Message Type:
INVALID_SPI
Rgds,
Thomas
--
Thomas Novin <thnov at xyz.pp.se>
More information about the Users
mailing list