[Openswan Users] Multiple tunnels causes INVALID_SPI error
Paul Wouters
paul at xelerance.com
Tue Apr 10 11:23:34 EDT 2007
On Tue, 10 Apr 2007, Thomas Novin wrote:
> If I have only one connection added, everything works fine and is
> stable. But when I tried to add another network that should be tunneled
> (actually, a whole new connection) they seem to disturb each other.
that's a common problem with embedded devices.
> conn work
> auto=add
> left=10.0.0.58
> leftsubnet=10.0.0.0/24
Are you saying his connection works? Because to reach left, you have
to know where leftsubnet is, which is behind left.
> leftid=@work
> right=<fortigate wan>
> rightsubnet=<fortigate lan>
> rightid=%any
Set the rightid to something on both ends, or leave it out.
Don't set it to %any unless these are roadwarriors, which this
connection does not really seem to be.
> keyingtries=0
> pfs=yes
> auth=esp
> authby=secret
> esp=3des
>
> conn work-othernet
> auto=add
> left=10.0.0.58
> leftsubnet=10.0.0.0/24
> leftnexthop=10.0.0.254
> leftid=@work-othernet
Don't use different id's. Re-use the same conn, ONLY change
the rightsubnet= definition.
You now created two IKE peers which are the same, yet different. Which
is causing your problems now.
> right=<fortigate wan>
> rightsubnet=<my other subnet>
> rightid=%any
> keyingtries=0
> pfs=yes
> auth=esp
> authby=secret
> esp=3des
Paul
More information about the Users
mailing list