[Openswan Users] Antw: Problem with two tunnels to the same destinationand dpd

Uwe Knop Uwe.Knop at IT.Brandenburg.de
Thu Feb 26 13:19:40 EST 2009


The behavior of the two Tunnel is so unfortunately normal.

You must change the right= IP Address.

conn haitecairit
       type=tunnel
       auth=esp
       authby=secret
       ike=aes128
       esp=aes128
       pfs=yes
       left=x.y.237.28
       leftsubnet=172.17.10.0/24
       right=x.y.237.250
       rightsubnet=172.19.0.0/16
       auto=start
       dpddelay=30
       dpdtimeout=120
       dpdaction=restart

conn haitecairit2
       type=tunnel
       auth=esp
       authby=secret
       ike=aes128
       esp=aes128
       pfs=yes
       left=x.y.237.28
       leftsubnet=172.17.10.0/24
       right=x.y.237.251
       rightsubnet=172.18.1.0/24
       auto=start
       dpddelay=30
       dpdtimeout=120
       dpdaction=restart


bye
Uwe


>>> Michael Schwartzkopff <misch at multinet.de> 20.02.09 7.37 Uhr >>>
Hi,

we have two tunnels configured to the same gateway but different subnets on our 
side. See: config for the connectios below. Everything seems to work, except 
for dead peer detection:

ipsec whack --status gives:
(...)
000 "haitecairit":   dpd: action:restart; delay:30; timeout:120; 
(...)
000 "haitecairit2":   dpd: action:restart; delay:30; timeout:120; 
(...)
000 #203: "haitecairit":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); 
EVENT_SA_REPLACE in 27390s; newest IPSEC; eroute owner
000 #203: "haitecairit" esp.de35d31c at x.y.237.28 esp.e5784f37 at x.y.237.250 
tun.0 at x.y.237.28 tun.0 at x.y.237.250
000 #202: "haitecairit2":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); 
EVENT_SA_REPLACE in 27434s; newest IPSEC; eroute owner
000 #202: "haitecairit2" esp.de35d31b at x.y.237.28 esp.f608300b at x.y.237.250 
tun.0 at x.y.237.28 tun.0 at x.y.237.250
000 #155: "haitecairit2":500 STATE_MAIN_I4 (ISAKMP SA established); 
EVENT_SA_REPLACE in 1179s; newest ISAKMP; lastdpd=12s(seq in:17719 out:0)

Please note that the line with "latestdpd" occures only on the connection 
"haitecairit2".

If a problem occues with the link only the connection "haitecairit2" is 
restarted by dpd, the other connection remains unconnencted.

Dos OpenSWAN only check the other gateway one time, even if severeral 
connections to the same gateway are defined? Is this a bug? Or did I just miss 
some configurations?

Thanks for any help.

--

Connection definition

conn haitecairit
        type=tunnel
        auth=esp
        authby=secret
        ike=aes128
        esp=aes128
        pfs=yes
        left=x.y.237.28
        leftsubnet=172.17.10.0/24
        right=x.y.237.250
        rightsubnet=172.19.0.0/16
        auto=start
        dpddelay=30
        dpdtimeout=120
        dpdaction=restart

conn haitecairit2
        type=tunnel
        auth=esp
        authby=secret
        ike=aes128
        esp=aes128
        pfs=yes
        left=x.y.237.28
        leftsubnet=172.17.10.0/24
        right=x.y.237.250
        rightsubnet=172.18.1.0/24
        auto=start
        dpddelay=30
        dpdtimeout=120
        dpdaction=restart


-- 
Dr. Michael Schwartzkopff
MultiNET Services GmbH
Addresse: Bretonischer Ring 7; 85630 Grasbrunn; Germany
Tel: +49 - 89 - 45 69 11 0
Fax: +49 - 89 - 45 69 11 21
mob: +49 - 174 - 343 28 75

mail: misch at multinet.de
web: www.multinet.de

Sitz der Gesellschaft: 85630 Grasbrunn
Registergericht: Amtsgericht München HRB 114375
Geschäftsführer: Günter Jurgeneit, Hubert Martens

---

PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B
Skype: misch42
_______________________________________________
Users at openswan.org
http://lists.openswan.org/mailman/listinfo/users
Building and Integrating Virtual Private Networks with Openswan: 
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155



More information about the Users mailing list