[Openswan Users] Multiple roadwarrior connections crossed

List Receiver listreceiver at mastermindpro.com
Fri Oct 3 11:04:10 EDT 2008 

I've got a new OpenSwan VPN setup for ~8 roadwarriors using the ShrewSoft client for Windows.  The majority of the setup works great, but I have a problem on the OpenSwan side.

When multiple users are connected for long periods of time, their tunnels somehow get "crossed".  By this I mean that OpenSwan gets confused about which public IP is associated with which SA.  As a test, I left my test machine associated all night last night, while others were actively connected.  This morning, when I went to send data across the tunnel, I was sending packets but not receiving anything.  I ran an "ipsec whack --status" on the server and found this:

000 #843: "roadwarrior"[16] 71.231.7.69:4500 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 1312s; newest IPSEC; eroute owner; isakmp#833; idle; import:not set
000 #843: "roadwarrior"[16] 71.231.7.69 esp.55382ab3 at 71.231.7.69 esp.33677a34 at 64.81.3.34 tun.0 at 71.231.7.69 tun.0 at 64.81.3.34 ref=0 refhim=4294901761
000 #845: "roadwarrior"[16] 71.231.7.69:4500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_EXPIRE in 640s; newest ISAKMP; nodpd; idle; import:not set
000 #831: "roadwarrior"[30] 71.231.7.69:4500 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 469s; newest IPSEC; eroute owner; isakmp#830; idle; import:not set
000 #831: "roadwarrior"[30] 71.231.7.69 esp.700d451c at 71.231.7.69 esp.fc5c3e54 at 64.81.3.34 tun.0 at 71.231.7.69 tun.0 at 64.81.3.34 ref=0 refhim=4294901761
000 #844: "roadwarrior"[30] 71.231.7.69:4500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_EXPIRE in 379s; newest ISAKMP; nodpd; idle; import:not set

I'm 16 and my associate is 30.  Why would OpenSwan be confused by which public IP I'm behind?  I have my Shrew clients set to send a keepalive every 30 seconds, so the SA is not going down.  It just seems that OpenSwan tries to send packets down the wrong SA after a while.  Here's my connection definition:

conn roadwarrior
        authby=rsasig
        auto=add
        compress=yes
        left=1.2.3.4
        leftcert=server2Cert.pem
        leftrsasigkey=%cert
        leftsubnet=192.168.0.0/24
        pfs=no
        right=%any
        rightrsasigkey=%cert
        rightsubnet=vhost:%priv,%no

If anyone needs more info, just let me know.  Other than this occasionally happening, I don't have any problem with this setup.

More information about the Users mailing list