[Openswan Users] Multiple tunnels causes INVALID_SPI error

[Thomas Novin]

On Tue, 2007-04-10 at 17:23 +0200, Paul Wouters wrote:
> On Tue, 10 Apr 2007, Thomas Novin wrote:
> > conn work
> >      auto=add
> >      left=10.0.0.58
> >      leftsubnet=10.0.0.0/24
> 
> Are you saying his connection works? Because to reach left, you have
> to know where leftsubnet is, which is behind left.

Yes, this works. 10.0.0.58 is my IP on the left-subnet. Maybe this could
be replaced with something so that it is auto-detected? I have many
interfaces and when I tried %something (can't remember what) it didn't
work.

I really would like to get this connection to work regardless of what IP
I've got, using a virtual adapter or something like that, as I will use
this VPN from several different LANs.

> Set the rightid to something on both ends, or leave it out.
> Don't set it to %any unless these are roadwarriors, which this
> connection does not really seem to be.

Ok, removed it completely.

> >      keyingtries=0
> >      pfs=yes
> >      auth=esp
> >      authby=secret
> >      esp=3des
> >
> > conn work-othernet
> >      auto=add
> >      left=10.0.0.58
> >      leftsubnet=10.0.0.0/24
> >      leftnexthop=10.0.0.254
> >      leftid=@work-othernet
> 
> Don't use different id's. Re-use the same conn, ONLY change
> the rightsubnet= definition.
> 
> You now created two IKE peers which are the same, yet different. Which
> is causing your problems now.
> 

I've already tried that but I tried it now again. When I do that
starting tunnel #2 kills tunnel #1. If I down tunnel #1 the traffic on
tunnel #2 stops working.

Rgds,

Thomas