[Openswan Users] Bug: Duelling tunnels in openswan-2.4.9-r1

Paul Wouters paul at xelerance.com
Sun Oct 21 21:16:40 EDT 2007

On Sun, 21 Oct 2007, Roland Plüss wrote:

> This problem started since the update to openswan-2.4.9-r1 . It looks
> like a huge bug in this version since my Road-Warrior system has been
> working until this fateful day.

I am not sure what "2.4.9-r1" is. We have "rc" which is release candidate
and we have "dr" which is developmen release.

There are bugs in 2.4.9. We're about to do a 2.4.10 release.

> The following happens now. There is a gateway with two laptops using a
> road-warrior config. Both use the same setups hence the same RSA key and
> identifier.

this setup is wrong though. Two different laptops should use two different
identifiers. You should have two conn's on the server side.

> So far they both received their own tunnel since they have
> different IPs. This is the intended behavior to distinguish computers
> with the same RSA key by their IP.

What do you intend to do when both are behind the same NAT router? They
will have the same IP.

> Now with the new version this is no more happening. For some reason if
> the second laptop opens a tunnel it intermingles with the first
> established tunnel. The net effect is that in an interval of 10 seconds
> each laptop alternating has its tunnel going up and down. They both
> fight for the same slot instead of receiving two slots. This problem can
> be witnessed well on the gateway where the slot changes the IP every 10
> seconds from one laptop to the other. With this the entire network is
> down and no way back ( the old version vanished from portage... great!
> so much for failure awareness <.=.< ).

It's your setup that is flawed. Perhaps gentoo changed the default for
uniqueids= in the config setup section? The default is "yes", which
breaks your setup.

Building and integrating Virtual Private Networks with Openswan:

More information about the Users mailing list