[Openswan Users] Setting a second tunnel stop the first one
Jofre Palau
jofrepalau at gmail.com
Fri Mar 14 15:07:09 EDT 2008
Hi,
I have the following configuration:
version 2.0
config setup
klipsdebug=all
plutodebug=none
nat_traversal=no
interfaces=%defaultroute
conn CONN1
right=domain1.net
rightsubnet=11.22.33.44/32
rightnexthop=%defaultroute
#left=%defaultroute
left=192.168.0.21
leftid=@domain3.net
authby=rsasig
ikelifetime=24h
#Certificate Information
rightcert="/etc/ipsec.d/certs/ap-it.crt.pem"
leftcert="/etc/ipsec.d/certs/ap-de.crt.pem"
auto=add
conn CONN2
right=domain2.net
rightsubnet=22.33.44.55/32
rightnexthop=%defaultroute
left=%defaultroute
leftid=@domain3.net
authby=rsasig
ikelifetime=24h
#Certificate Information
rightcert="/etc/ipsec.d/certs/ap-it.crt.pem"
leftcert="/etc/ipsec.d/certs/ap-de.crt.pem"
auto=add
both connections work fine, if alone, but every time I start one
with ipsec auto --up CONN1
or ipsec auto --up CONN2
the first one stops working
I´d like to be able have both up and running in parallel:
Mar 14 19:52:11 ap-de pluto[21515]: "CONN1" #1: initiating Main Mode
Mar 14 19:52:11 ap-de pluto[21515]: "CONN1" #1: transition from state
STATE_MAIN_I1 to state STATE_MAIN_I2
Mar 14 19:52:11 ap-de pluto[21515]: "CONN1" #1: STATE_MAIN_I2: sent MI2,
expecting MR2
Mar 14 19:52:12 ap-de pluto[21515]: "CONN1" #1: ignoring unknown Vendor ID
payload [4683d866e51b99451c54656c646174]
Mar 14 19:52:12 ap-de pluto[21515]: "CONN1" #1: received Vendor ID payload
[Cisco-Unity]
Mar 14 19:52:12 ap-de pluto[21515]: "CONN1" #1: received Vendor ID payload
[XAUTH]
Mar 14 19:52:12 ap-de pluto[21515]: "CONN1" #1: received Vendor ID payload
[Dead Peer Detection]
Mar 14 19:52:12 ap-de pluto[21515]: "CONN1" #1: I am sending my cert
Mar 14 19:52:12 ap-de pluto[21515]: "CONN1" #1: I am sending a certificate
request
Mar 14 19:52:12 ap-de pluto[21515]: "CONN1" #1: transition from state
STATE_MAIN_I2 to state STATE_MAIN_I3
Mar 14 19:52:12 ap-de pluto[21515]: "CONN1" #1: STATE_MAIN_I3: sent MI3,
expecting MR3
Mar 14 19:52:12 ap-de pluto[21515]: "CONN1" #1: Main mode peer ID is
ID_DER_ASN1_DN: 'abc'
Mar 14 19:52:12 ap-de pluto[21515]: "CONN1" #1: no crl from issuer "xyz"
found (strict=no)
Mar 14 19:52:12 ap-de pluto[21515]: "CONN1" #1: transition from state
STATE_MAIN_I3 to state STATE_MAIN_I4
Mar 14 19:52:12 ap-de pluto[21515]: "CONN1" #1: STATE_MAIN_I4: ISAKMP SA
established {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_md5
group=modp1024}
Mar 14 19:52:12 ap-de pluto[21515]: "CONN1" #2: initiating Quick Mode
RSASIG+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}
Mar 14 19:52:12 ap-de pluto[21515]: "CONN1" #1: ignoring informational
payload, type IPSEC_RESPONDER_LIFETIME
Mar 14 19:52:12 ap-de pluto[21515]: "CONN1" #1: received and ignored
informational message
Mar 14 19:52:12 ap-de pluto[21515]: "CONN1" #2: ignoring informational
payload, type IPSEC_RESPONDER_LIFETIME
Mar 14 19:52:12 ap-de pluto[21515]: "CONN1" #2: transition from state
STATE_QUICK_I1 to state STATE_QUICK_I2
Mar 14 19:52:12 ap-de pluto[21515]: "CONN1" #2: STATE_QUICK_I2: sent QI2,
IPsec SA established {ESP=>0x3576fc2d <0xdc5bda95 xfrm=3DES_0-HMAC_MD5
NATD=none DPD=none}
Mar 14 19:52:13 ap-de pluto[21515]: "CONN1" #1: ignoring Delete SA payload:
PROTO_IPSEC_ESP SA(0x886bb9ed) not found (maybe expired)
Mar 14 19:52:13 ap-de pluto[21515]: "CONN1" #1: received and ignored
informational message
<here I start CONN2 >
Mar 14 19:52:52 ap-de pluto[21515]: "CONN2" #3: initiating Main Mode
Mar 14 19:52:52 ap-de pluto[21515]: "CONN2" #3: transition from state
STATE_MAIN_I1 to state STATE_MAIN_I2
Mar 14 19:52:52 ap-de pluto[21515]: "CONN2" #3: STATE_MAIN_I2: sent MI2,
expecting MR2
Mar 14 19:52:52 ap-de pluto[21515]: "CONN2" #3: ignoring unknown Vendor ID
payload [4d5debb3210ca0388954656c646174]
Mar 14 19:52:52 ap-de pluto[21515]: "CONN2" #3: received Vendor ID payload
[Cisco-Unity]
Mar 14 19:52:52 ap-de pluto[21515]: "CONN2" #3: received Vendor ID payload
[XAUTH]
Mar 14 19:52:52 ap-de pluto[21515]: "CONN2" #3: received Vendor ID payload
[Dead Peer Detection]
Mar 14 19:52:52 ap-de pluto[21515]: "CONN2" #3: I am sending my cert
Mar 14 19:52:52 ap-de pluto[21515]: "CONN2" #3: I am sending a certificate
request
Mar 14 19:52:52 ap-de pluto[21515]: "CONN2" #3: transition from state
STATE_MAIN_I2 to state STATE_MAIN_I3
Mar 14 19:52:52 ap-de pluto[21515]: "CONN2" #3: STATE_MAIN_I3: sent MI3,
expecting MR3
Mar 14 19:52:53 ap-de pluto[21515]: "CONN2" #3: Main mode peer ID is
ID_DER_ASN1_DN: 'abc'
Mar 14 19:52:53 ap-de pluto[21515]: "CONN2" #3: no crl from issuer "xyz"
found (strict=no)
Mar 14 19:52:53 ap-de pluto[21515]: "CONN1" #2: deleting state
(STATE_QUICK_I2)
Mar 14 19:52:53 ap-de pluto[21515]: "CONN1" #1: deleting state
(STATE_MAIN_I4)
< here CONN1 stops working >
Mar 14 19:52:53 ap-de pluto[21515]: "CONN2" #3: transition from state
STATE_MAIN_I3 to state STATE_MAIN_I4
Mar 14 19:52:53 ap-de pluto[21515]: "CONN2" #3: STATE_MAIN_I4: ISAKMP SA
established {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_md5
group=modp1024}
Mar 14 19:52:53 ap-de pluto[21515]: "CONN2" #4: initiating Quick Mode
RSASIG+ENCRYPT+TUNNEL+PFS+UP {using isakmp#3}
Mar 14 19:52:53 ap-de pluto[21515]: "CONN2" #3: ignoring informational
payload, type IPSEC_RESPONDER_LIFETIME
Mar 14 19:52:53 ap-de pluto[21515]: "CONN2" #3: received and ignored
informational message
Mar 14 19:52:53 ap-de pluto[21515]: "CONN2" #4: ignoring informational
payload, type IPSEC_RESPONDER_LIFETIME
Mar 14 19:52:53 ap-de pluto[21515]: "CONN2" #4: transition from state
STATE_QUICK_I1 to state STATE_QUICK_I2
Mar 14 19:52:53 ap-de pluto[21515]: "CONN2" #4: STATE_QUICK_I2: sent QI2,
IPsec SA established {ESP=>0x9639e7fb <0x2d4a4701 xfrm=3DES_0-HMAC_MD5
NATD=none DPD=none}
Mar 14 19:52:55 ap-de pluto[21515]: "CONN2" #3: ignoring Delete SA payload:
PROTO_IPSEC_ESP SA(0xa720ec72) not found (maybe expired)
Mar 14 19:52:55 ap-de pluto[21515]: "CONN2" #3: received and ignored
informational message
do you have a hint on how to make both connections working in parallel?
Thank you very much
Jofre
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20080314/c842f836/attachment.html
More information about the Users
mailing list