[Openswan Users] Setting a second tunnel stop the first one

Jofre Palau jofrepalau at gmail.com
Fri Mar 14 15:37:08 EDT 2008


I think you are right.
I just successfully tested a third a connection that uses another
certificate and it works fine in parallel with one of the previous ones.
Thanks for your fast answer.
Jofre


On Fri, Mar 14, 2008 at 8:22 PM, Peter McGill <petermcgill at goco.net> wrote:

>  I might be because your using the same cert for both right's...
> Each host should have it's own cert.
>
> Peter McGill
>
>
>  ------------------------------
> *From:* users-bounces at openswan.org [mailto:users-bounces at openswan.org] *On
> Behalf Of *Jofre Palau
> *Sent:* March 14, 2008 3:07 PM
> *To:* users at openswan.org
> *Subject:* [Openswan Users] Setting a second tunnel stop the first one
>
> Hi,
> I have the following configuration:
>
> version 2.0
> config setup
>         klipsdebug=all
>         plutodebug=none
>         nat_traversal=no
>         interfaces=%defaultroute
>
> conn CONN1
>         right=domain1.net
>         rightsubnet=11.22.33.44/32
>         rightnexthop=%defaultroute
>         #left=%defaultroute
>         left=192.168.0.21
>         leftid=@domain3.net
>         authby=rsasig
>         ikelifetime=24h
>         #Certificate Information
>         rightcert="/etc/ipsec.d/certs/ap-it.crt.pem"
>         leftcert="/etc/ipsec.d/certs/ap-de.crt.pem"
>         auto=add
>
> conn CONN2
>         right=domain2.net
>         rightsubnet=22.33.44.55/32
>         rightnexthop=%defaultroute
>         left=%defaultroute
>         leftid=@domain3.net
>         authby=rsasig
>         ikelifetime=24h
>         #Certificate Information
>         rightcert="/etc/ipsec.d/certs/ap-it.crt.pem"
>         leftcert="/etc/ipsec.d/certs/ap-de.crt.pem"
>         auto=add
>
>
> both connections work fine, if alone, but every time I start one
> with ipsec auto --up CONN1
> or  ipsec auto --up CONN2
>
> the first one stops working
>
> I´d like to be able have both up and running in parallel:
>
>
> Mar 14 19:52:11 ap-de pluto[21515]: "CONN1" #1: initiating Main Mode
> Mar 14 19:52:11 ap-de pluto[21515]: "CONN1" #1: transition from state
> STATE_MAIN_I1 to state STATE_MAIN_I2
> Mar 14 19:52:11 ap-de pluto[21515]: "CONN1" #1: STATE_MAIN_I2: sent MI2,
> expecting MR2
> Mar 14 19:52:12 ap-de pluto[21515]: "CONN1" #1: ignoring unknown Vendor ID
> payload [4683d866e51b99451c54656c646174]
> Mar 14 19:52:12 ap-de pluto[21515]: "CONN1" #1: received Vendor ID payload
> [Cisco-Unity]
> Mar 14 19:52:12 ap-de pluto[21515]: "CONN1" #1: received Vendor ID payload
> [XAUTH]
> Mar 14 19:52:12 ap-de pluto[21515]: "CONN1" #1: received Vendor ID payload
> [Dead Peer Detection]
> Mar 14 19:52:12 ap-de pluto[21515]: "CONN1" #1: I am sending my cert
> Mar 14 19:52:12 ap-de pluto[21515]: "CONN1" #1: I am sending a certificate
> request
> Mar 14 19:52:12 ap-de pluto[21515]: "CONN1" #1: transition from state
> STATE_MAIN_I2 to state STATE_MAIN_I3
> Mar 14 19:52:12 ap-de pluto[21515]: "CONN1" #1: STATE_MAIN_I3: sent MI3,
> expecting MR3
> Mar 14 19:52:12 ap-de pluto[21515]: "CONN1" #1: Main mode peer ID is
> ID_DER_ASN1_DN: 'abc'
> Mar 14 19:52:12 ap-de pluto[21515]: "CONN1" #1: no crl from issuer "xyz"
> found (strict=no)
> Mar 14 19:52:12 ap-de pluto[21515]: "CONN1" #1: transition from state
> STATE_MAIN_I3 to state STATE_MAIN_I4
> Mar 14 19:52:12 ap-de pluto[21515]: "CONN1" #1: STATE_MAIN_I4: ISAKMP SA
> established {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_md5
> group=modp1024}
> Mar 14 19:52:12 ap-de pluto[21515]: "CONN1" #2: initiating Quick Mode
> RSASIG+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}
> Mar 14 19:52:12 ap-de pluto[21515]: "CONN1" #1: ignoring informational
> payload, type IPSEC_RESPONDER_LIFETIME
> Mar 14 19:52:12 ap-de pluto[21515]: "CONN1" #1: received and ignored
> informational message
> Mar 14 19:52:12 ap-de pluto[21515]: "CONN1" #2: ignoring informational
> payload, type IPSEC_RESPONDER_LIFETIME
> Mar 14 19:52:12 ap-de pluto[21515]: "CONN1" #2: transition from state
> STATE_QUICK_I1 to state STATE_QUICK_I2
> Mar 14 19:52:12 ap-de pluto[21515]: "CONN1" #2: STATE_QUICK_I2: sent QI2,
> IPsec SA established {ESP=>0x3576fc2d <0xdc5bda95 xfrm=3DES_0-HMAC_MD5
> NATD=none DPD=none}
> Mar 14 19:52:13 ap-de pluto[21515]: "CONN1" #1: ignoring Delete SA
> payload: PROTO_IPSEC_ESP SA(0x886bb9ed) not found (maybe expired)
> Mar 14 19:52:13 ap-de pluto[21515]: "CONN1" #1: received and ignored
> informational message
>
> <here I start CONN2 >
>
> Mar 14 19:52:52 ap-de pluto[21515]: "CONN2" #3: initiating Main Mode
> Mar 14 19:52:52 ap-de pluto[21515]: "CONN2" #3: transition from state
> STATE_MAIN_I1 to state STATE_MAIN_I2
> Mar 14 19:52:52 ap-de pluto[21515]: "CONN2" #3: STATE_MAIN_I2: sent MI2,
> expecting MR2
> Mar 14 19:52:52 ap-de pluto[21515]: "CONN2" #3: ignoring unknown Vendor ID
> payload [4d5debb3210ca0388954656c646174]
> Mar 14 19:52:52 ap-de pluto[21515]: "CONN2" #3: received Vendor ID payload
> [Cisco-Unity]
> Mar 14 19:52:52 ap-de pluto[21515]: "CONN2" #3: received Vendor ID payload
> [XAUTH]
> Mar 14 19:52:52 ap-de pluto[21515]: "CONN2" #3: received Vendor ID payload
> [Dead Peer Detection]
> Mar 14 19:52:52 ap-de pluto[21515]: "CONN2" #3: I am sending my cert
> Mar 14 19:52:52 ap-de pluto[21515]: "CONN2" #3: I am sending a certificate
> request
> Mar 14 19:52:52 ap-de pluto[21515]: "CONN2" #3: transition from state
> STATE_MAIN_I2 to state STATE_MAIN_I3
> Mar 14 19:52:52 ap-de pluto[21515]: "CONN2" #3: STATE_MAIN_I3: sent MI3,
> expecting MR3
> Mar 14 19:52:53 ap-de pluto[21515]: "CONN2" #3: Main mode peer ID is
> ID_DER_ASN1_DN: 'abc'
> Mar 14 19:52:53 ap-de pluto[21515]: "CONN2" #3: no crl from issuer "xyz"
> found (strict=no)
>
> Mar 14 19:52:53 ap-de pluto[21515]: "CONN1" #2: deleting state
> (STATE_QUICK_I2)
> Mar 14 19:52:53 ap-de pluto[21515]: "CONN1" #1: deleting state
> (STATE_MAIN_I4)
>
> < here CONN1 stops working >
>
> Mar 14 19:52:53 ap-de pluto[21515]: "CONN2" #3: transition from state
> STATE_MAIN_I3 to state STATE_MAIN_I4
> Mar 14 19:52:53 ap-de pluto[21515]: "CONN2" #3: STATE_MAIN_I4: ISAKMP SA
> established {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_md5
> group=modp1024}
> Mar 14 19:52:53 ap-de pluto[21515]: "CONN2" #4: initiating Quick Mode
> RSASIG+ENCRYPT+TUNNEL+PFS+UP {using isakmp#3}
> Mar 14 19:52:53 ap-de pluto[21515]: "CONN2" #3: ignoring informational
> payload, type IPSEC_RESPONDER_LIFETIME
> Mar 14 19:52:53 ap-de pluto[21515]: "CONN2" #3: received and ignored
> informational message
> Mar 14 19:52:53 ap-de pluto[21515]: "CONN2" #4: ignoring informational
> payload, type IPSEC_RESPONDER_LIFETIME
> Mar 14 19:52:53 ap-de pluto[21515]: "CONN2" #4: transition from state
> STATE_QUICK_I1 to state STATE_QUICK_I2
> Mar 14 19:52:53 ap-de pluto[21515]: "CONN2" #4: STATE_QUICK_I2: sent QI2,
> IPsec SA established {ESP=>0x9639e7fb <0x2d4a4701 xfrm=3DES_0-HMAC_MD5
> NATD=none DPD=none}
> Mar 14 19:52:55 ap-de pluto[21515]: "CONN2" #3: ignoring Delete SA
> payload: PROTO_IPSEC_ESP SA(0xa720ec72) not found (maybe expired)
> Mar 14 19:52:55 ap-de pluto[21515]: "CONN2" #3: received and ignored
> informational message
>
>
> do you have a hint on how to make both connections working in parallel?
> Thank you very much
> Jofre
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20080314/4f21a4a9/attachment-0001.html 


More information about the Users mailing list