[Openswan Users] Bug: Duelling tunnels in openswan-2.4.9-r1
paul at xelerance.com
Sun Oct 21 21:16:40 EDT 2007
On Sun, 21 Oct 2007, Roland Plüss wrote:
> This problem started since the update to openswan-2.4.9-r1 . It looks
> like a huge bug in this version since my Road-Warrior system has been
> working until this fateful day.
I am not sure what "2.4.9-r1" is. We have "rc" which is release candidate
and we have "dr" which is developmen release.
There are bugs in 2.4.9. We're about to do a 2.4.10 release.
> The following happens now. There is a gateway with two laptops using a
> road-warrior config. Both use the same setups hence the same RSA key and
this setup is wrong though. Two different laptops should use two different
identifiers. You should have two conn's on the server side.
> So far they both received their own tunnel since they have
> different IPs. This is the intended behavior to distinguish computers
> with the same RSA key by their IP.
What do you intend to do when both are behind the same NAT router? They
will have the same IP.
> Now with the new version this is no more happening. For some reason if
> the second laptop opens a tunnel it intermingles with the first
> established tunnel. The net effect is that in an interval of 10 seconds
> each laptop alternating has its tunnel going up and down. They both
> fight for the same slot instead of receiving two slots. This problem can
> be witnessed well on the gateway where the slot changes the IP every 10
> seconds from one laptop to the other. With this the entire network is
> down and no way back ( the old version vanished from portage... great!
> so much for failure awareness <.=.< ).
It's your setup that is flawed. Perhaps gentoo changed the default for
uniqueids= in the config setup section? The default is "yes", which
breaks your setup.
Building and integrating Virtual Private Networks with Openswan:
More information about the Users