[Openswan Users] Setting a second tunnel stop the first one

Peter McGill petermcgill at goco.net
Fri Mar 14 15:22:17 EDT 2008 

I might be because your using the same cert for both right's...
Each host should have it's own cert.
 
Peter McGill
 


  _____  

From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On Behalf Of Jofre Palau
Sent: March 14, 2008 3:07 PM
To: users at openswan.org
Subject: [Openswan Users] Setting a second tunnel stop the first one


Hi,
I have the following configuration:

version 2.0    
config setup
        klipsdebug=all
        plutodebug=none
        nat_traversal=no
        interfaces=%defaultroute

conn CONN1
        right=domain1.net
        rightsubnet=11.22.33.44/32
        rightnexthop=%defaultroute
        #left=%defaultroute
        left=192.168.0.21
        leftid=@domain3.net
        authby=rsasig
        ikelifetime=24h
        #Certificate Information
        rightcert="/etc/ipsec.d/certs/ap-it.crt.pem"
        leftcert="/etc/ipsec.d/certs/ap-de.crt.pem"
        auto=add

conn CONN2
        right=domain2.net
        rightsubnet=22.33.44.55/32
        rightnexthop=%defaultroute
        left=%defaultroute
        leftid=@domain3.net
        authby=rsasig
        ikelifetime=24h
        #Certificate Information
        rightcert="/etc/ipsec.d/certs/ap-it.crt.pem"
        leftcert="/etc/ipsec.d/certs/ap-de.crt.pem"
        auto=add


both connections work fine, if alone, but every time I start one
with ipsec auto --up CONN1 
or  ipsec auto --up CONN2

the first one stops working

I´d like to be able have both up and running in parallel:


Mar 14 19:52:11 ap-de pluto[21515]: "CONN1" #1: initiating Main Mode
Mar 14 19:52:11 ap-de pluto[21515]: "CONN1" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Mar 14 19:52:11 ap-de pluto[21515]: "CONN1" #1: STATE_MAIN_I2: sent MI2, expecting MR2
Mar 14 19:52:12 ap-de pluto[21515]: "CONN1" #1: ignoring unknown Vendor ID payload [4683d866e51b99451c54656c646174]
Mar 14 19:52:12 ap-de pluto[21515]: "CONN1" #1: received Vendor ID payload [Cisco-Unity]
Mar 14 19:52:12 ap-de pluto[21515]: "CONN1" #1: received Vendor ID payload [XAUTH]
Mar 14 19:52:12 ap-de pluto[21515]: "CONN1" #1: received Vendor ID payload [Dead Peer Detection]
Mar 14 19:52:12 ap-de pluto[21515]: "CONN1" #1: I am sending my cert
Mar 14 19:52:12 ap-de pluto[21515]: "CONN1" #1: I am sending a certificate request
Mar 14 19:52:12 ap-de pluto[21515]: "CONN1" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Mar 14 19:52:12 ap-de pluto[21515]: "CONN1" #1: STATE_MAIN_I3: sent MI3, expecting MR3
Mar 14 19:52:12 ap-de pluto[21515]: "CONN1" #1: Main mode peer ID is ID_DER_ASN1_DN: 'abc'
Mar 14 19:52:12 ap-de pluto[21515]: "CONN1" #1: no crl from issuer "xyz" found (strict=no)
Mar 14 19:52:12 ap-de pluto[21515]: "CONN1" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
Mar 14 19:52:12 ap-de pluto[21515]: "CONN1" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192
prf=oakley_md5 group=modp1024}
Mar 14 19:52:12 ap-de pluto[21515]: "CONN1" #2: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}
Mar 14 19:52:12 ap-de pluto[21515]: "CONN1" #1: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME
Mar 14 19:52:12 ap-de pluto[21515]: "CONN1" #1: received and ignored informational message
Mar 14 19:52:12 ap-de pluto[21515]: "CONN1" #2: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME
Mar 14 19:52:12 ap-de pluto[21515]: "CONN1" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Mar 14 19:52:12 ap-de pluto[21515]: "CONN1" #2: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x3576fc2d <0xdc5bda95
xfrm=3DES_0-HMAC_MD5 NATD=none DPD=none}
Mar 14 19:52:13 ap-de pluto[21515]: "CONN1" #1: ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0x886bb9ed) not found (maybe expired)
Mar 14 19:52:13 ap-de pluto[21515]: "CONN1" #1: received and ignored informational message

<here I start CONN2 >

Mar 14 19:52:52 ap-de pluto[21515]: "CONN2" #3: initiating Main Mode
Mar 14 19:52:52 ap-de pluto[21515]: "CONN2" #3: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Mar 14 19:52:52 ap-de pluto[21515]: "CONN2" #3: STATE_MAIN_I2: sent MI2, expecting MR2
Mar 14 19:52:52 ap-de pluto[21515]: "CONN2" #3: ignoring unknown Vendor ID payload [4d5debb3210ca0388954656c646174]
Mar 14 19:52:52 ap-de pluto[21515]: "CONN2" #3: received Vendor ID payload [Cisco-Unity]
Mar 14 19:52:52 ap-de pluto[21515]: "CONN2" #3: received Vendor ID payload [XAUTH]
Mar 14 19:52:52 ap-de pluto[21515]: "CONN2" #3: received Vendor ID payload [Dead Peer Detection]
Mar 14 19:52:52 ap-de pluto[21515]: "CONN2" #3: I am sending my cert
Mar 14 19:52:52 ap-de pluto[21515]: "CONN2" #3: I am sending a certificate request
Mar 14 19:52:52 ap-de pluto[21515]: "CONN2" #3: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Mar 14 19:52:52 ap-de pluto[21515]: "CONN2" #3: STATE_MAIN_I3: sent MI3, expecting MR3
Mar 14 19:52:53 ap-de pluto[21515]: "CONN2" #3: Main mode peer ID is ID_DER_ASN1_DN: 'abc'
Mar 14 19:52:53 ap-de pluto[21515]: "CONN2" #3: no crl from issuer "xyz" found (strict=no)

Mar 14 19:52:53 ap-de pluto[21515]: "CONN1" #2: deleting state (STATE_QUICK_I2)
Mar 14 19:52:53 ap-de pluto[21515]: "CONN1" #1: deleting state (STATE_MAIN_I4)

< here CONN1 stops working >

Mar 14 19:52:53 ap-de pluto[21515]: "CONN2" #3: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
Mar 14 19:52:53 ap-de pluto[21515]: "CONN2" #3: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192
prf=oakley_md5 group=modp1024}
Mar 14 19:52:53 ap-de pluto[21515]: "CONN2" #4: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP {using isakmp#3}
Mar 14 19:52:53 ap-de pluto[21515]: "CONN2" #3: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME
Mar 14 19:52:53 ap-de pluto[21515]: "CONN2" #3: received and ignored informational message
Mar 14 19:52:53 ap-de pluto[21515]: "CONN2" #4: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME
Mar 14 19:52:53 ap-de pluto[21515]: "CONN2" #4: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Mar 14 19:52:53 ap-de pluto[21515]: "CONN2" #4: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x9639e7fb <0x2d4a4701
xfrm=3DES_0-HMAC_MD5 NATD=none DPD=none}
Mar 14 19:52:55 ap-de pluto[21515]: "CONN2" #3: ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0xa720ec72) not found (maybe expired)
Mar 14 19:52:55 ap-de pluto[21515]: "CONN2" #3: received and ignored informational message


do you have a hint on how to make both connections working in parallel?
Thank you very much
Jofre




-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20080314/1ff2a41d/attachment.html

More information about the Users mailing list