[Openswan Users] Multiple roadwarrior connections crossed
paul at xelerance.com
Fri Oct 3 11:39:47 EDT 2008
On Fri, 3 Oct 2008, List Receiver wrote:
> I've got a new OpenSwan VPN setup for ~8 roadwarriors using the ShrewSoft client for Windows. The majority of the setup works great, but I have a problem on the OpenSwan side.
If this is using NETKEY, please try 2.6.18rc1. It fixes a problem in rekeying and a
problem in picking the right conn, either of which could be the bug you're looking
If using KLIPS, you'll have to wait until 2.6.18 final is released, we're still
hunting a bug in that one preventing us from releasing it.
> When multiple users are connected for long periods of time, their tunnels somehow get "crossed". By this I mean that OpenSwan gets confused about which public IP is associated with which SA. As a test, I left my test machine associated all night last night, while others were actively connected. This morning, when I went to send data across the tunnel, I was sending packets but not receiving anything. I ran an "ipsec whack --status" on the server and found this:
> 000 #843: "roadwarrior" 188.8.131.52:4500 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 1312s; newest IPSEC; eroute owner; isakmp#833; idle; import:not set
> 000 #843: "roadwarrior" 184.108.40.206 esp.55382ab3 at 220.127.116.11 esp.33677a34 at 18.104.22.168 tun.0 at 22.214.171.124 tun.0 at 126.96.36.199 ref=0 refhim=4294901761
> 000 #845: "roadwarrior" 188.8.131.52:4500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_EXPIRE in 640s; newest ISAKMP; nodpd; idle; import:not set
> 000 #831: "roadwarrior" 184.108.40.206:4500 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 469s; newest IPSEC; eroute owner; isakmp#830; idle; import:not set
> 000 #831: "roadwarrior" 220.127.116.11 esp.700d451c at 18.104.22.168 esp.fc5c3e54 at 22.214.171.124 tun.0 at 126.96.36.199 tun.0 at 188.8.131.52 ref=0 refhim=4294901761
> 000 #844: "roadwarrior" 184.108.40.206:4500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_EXPIRE in 379s; newest ISAKMP; nodpd; idle; import:not set
> I'm 16 and my associate is 30. Why would OpenSwan be confused by which public IP I'm behind? I have my Shrew clients set to send a keepalive every 30 seconds, so the SA is not going down. It just seems that OpenSwan tries to send packets down the wrong SA after a while. Here's my connection definition:
> conn roadwarrior
> If anyone needs more info, just let me know. Other than this occasionally happening, I don't have any problem with this setup.
> Users at openswan.org
> Building and Integrating Virtual Private Networks with Openswan:
More information about the Users