[Openswan Users] constantly increasing number of tunnels, stopping ipsec (fwd)
Paul Wouters
paul at xelerance.com
Mon Aug 27 11:47:52 EDT 2007
On Wed, 22 Aug 2007, Paul Wouters wrote:
> Subject: Re: [Openswan Users] constantly increasing number of tunnels,
> stopping ipsec (fwd)
It looks like you have a lot of duplicate connections that are being
negotiated, eg:
000 "kronau-pforzheim"[1]: 192.168.8.0/24===80.152.166.167---217.5.98.8...62.227.205.37===192.168.33.0/24; unrouted; eroute owner: #0
000 "kronau-pforzheim"[2]: 192.168.8.0/24===80.152.166.167---217.5.98.8...84.159.187.150===192.168.33.0/24; unrouted; eroute owner: #0
000 "kronau-pforzheim"[3]: 192.168.8.0/24===80.152.166.167---217.5.98.8...217.233.212.187===192.168.33.0/24; unrouted; eroute owner: #0
000 "kronau-pforzheim"[4]: 192.168.8.0/24===80.152.166.167---217.5.98.8...84.173.223.209===192.168.33.0/24; unrouted; eroute owner: #0
000 "kronau-pforzheim"[5]: 192.168.8.0/24===80.152.166.167---217.5.98.8...84.163.106.164===192.168.33.0/24; erouted; eroute owner: #459
There are all request for a tunnel from 192.168.8.0/24 <-> 192.168.33.0/24. It looks like
you are replacing the tunnels continiously, racing yourself to death? Since when using
uniqueids=yes, you will terminate all but the last of those tunnels.
I am also not sure why you have two default routes:
0.0.0.0 217.5.98.7 0.0.0.0 UG 0 0 0 dsl0
0.0.0.0 0.0.0.0 0.0.0.0 U 0 0 0 dsl0
You should probably delete the latter one.
It seems like a pretty big setup to be running with PSK instead of RSA/X509 by
the way.
But the key question here is, what are you trying to do. Obviously you can't mean to
tunnel from one network to the other via 1 NAT device many many times, so I think you
have misconfigured or misunderstood something.
Paul
--
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
More information about the Users
mailing list