[Openswan Users] Multiple roadwarrior connections crossed

Fri Oct 3 11:39:47 EDT 2008

On Fri, 3 Oct 2008, List Receiver wrote:

> I've got a new OpenSwan VPN setup for ~8 roadwarriors using the ShrewSoft client for Windows.  The majority of the setup works great, but I have a problem on the OpenSwan side.

If this is using NETKEY, please try 2.6.18rc1. It fixes a problem in rekeying and a
problem in picking the right conn, either of which could be the bug you're looking
at.

If using KLIPS, you'll have to wait until 2.6.18 final is released, we're still
hunting a bug in that one preventing us from releasing it.

Paul

> When multiple users are connected for long periods of time, their tunnels somehow get "crossed".  By this I mean that OpenSwan gets confused about which public IP is associated with which SA.  As a test, I left my test machine associated all night last night, while others were actively connected.  This morning, when I went to send data across the tunnel, I was sending packets but not receiving anything.  I ran an "ipsec whack --status" on the server and found this:
>
> 000 #843: "roadwarrior"[16] 71.231.7.69:4500 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 1312s; newest IPSEC; eroute owner; isakmp#833; idle; import:not set
> 000 #843: "roadwarrior"[16] 71.231.7.69 esp.55382ab3 at 71.231.7.69 esp.33677a34 at 64.81.3.34 tun.0 at 71.231.7.69 tun.0 at 64.81.3.34 ref=0 refhim=4294901761
> 000 #845: "roadwarrior"[16] 71.231.7.69:4500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_EXPIRE in 640s; newest ISAKMP; nodpd; idle; import:not set
> 000 #831: "roadwarrior"[30] 71.231.7.69:4500 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 469s; newest IPSEC; eroute owner; isakmp#830; idle; import:not set
> 000 #831: "roadwarrior"[30] 71.231.7.69 esp.700d451c at 71.231.7.69 esp.fc5c3e54 at 64.81.3.34 tun.0 at 71.231.7.69 tun.0 at 64.81.3.34 ref=0 refhim=4294901761
> 000 #844: "roadwarrior"[30] 71.231.7.69:4500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_EXPIRE in 379s; newest ISAKMP; nodpd; idle; import:not set
>
> I'm 16 and my associate is 30.  Why would OpenSwan be confused by which public IP I'm behind?  I have my Shrew clients set to send a keepalive every 30 seconds, so the SA is not going down.  It just seems that OpenSwan tries to send packets down the wrong SA after a while.  Here's my connection definition:
>
> conn roadwarrior
>        authby=rsasig
>        auto=add
>        compress=yes
>        left=1.2.3.4
>        leftcert=server2Cert.pem
>        leftrsasigkey=%cert
>        leftsubnet=192.168.0.0/24
>        pfs=no
>        right=%any
>        rightrsasigkey=%cert
>        rightsubnet=vhost:%priv,%no
>
> If anyone needs more info, just let me know.  Other than this occasionally happening, I don't have any problem with this setup.
>
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>