[Openswan Users] Antw: Problem with two tunnels to the same destinationand dpd
Uwe Knop
Uwe.Knop at IT.Brandenburg.de
Thu Feb 26 13:19:40 EST 2009
The behavior of the two Tunnel is so unfortunately normal.
You must change the right= IP Address.
conn haitecairit
type=tunnel
auth=esp
authby=secret
ike=aes128
esp=aes128
pfs=yes
left=x.y.237.28
leftsubnet=172.17.10.0/24
right=x.y.237.250
rightsubnet=172.19.0.0/16
auto=start
dpddelay=30
dpdtimeout=120
dpdaction=restart
conn haitecairit2
type=tunnel
auth=esp
authby=secret
ike=aes128
esp=aes128
pfs=yes
left=x.y.237.28
leftsubnet=172.17.10.0/24
right=x.y.237.251
rightsubnet=172.18.1.0/24
auto=start
dpddelay=30
dpdtimeout=120
dpdaction=restart
bye
Uwe
>>> Michael Schwartzkopff <misch at multinet.de> 20.02.09 7.37 Uhr >>>
Hi,
we have two tunnels configured to the same gateway but different subnets on our
side. See: config for the connectios below. Everything seems to work, except
for dead peer detection:
ipsec whack --status gives:
(...)
000 "haitecairit": dpd: action:restart; delay:30; timeout:120;
(...)
000 "haitecairit2": dpd: action:restart; delay:30; timeout:120;
(...)
000 #203: "haitecairit":500 STATE_QUICK_I2 (sent QI2, IPsec SA established);
EVENT_SA_REPLACE in 27390s; newest IPSEC; eroute owner
000 #203: "haitecairit" esp.de35d31c at x.y.237.28 esp.e5784f37 at x.y.237.250
tun.0 at x.y.237.28 tun.0 at x.y.237.250
000 #202: "haitecairit2":500 STATE_QUICK_I2 (sent QI2, IPsec SA established);
EVENT_SA_REPLACE in 27434s; newest IPSEC; eroute owner
000 #202: "haitecairit2" esp.de35d31b at x.y.237.28 esp.f608300b at x.y.237.250
tun.0 at x.y.237.28 tun.0 at x.y.237.250
000 #155: "haitecairit2":500 STATE_MAIN_I4 (ISAKMP SA established);
EVENT_SA_REPLACE in 1179s; newest ISAKMP; lastdpd=12s(seq in:17719 out:0)
Please note that the line with "latestdpd" occures only on the connection
"haitecairit2".
If a problem occues with the link only the connection "haitecairit2" is
restarted by dpd, the other connection remains unconnencted.
Dos OpenSWAN only check the other gateway one time, even if severeral
connections to the same gateway are defined? Is this a bug? Or did I just miss
some configurations?
Thanks for any help.
--
Connection definition
conn haitecairit
type=tunnel
auth=esp
authby=secret
ike=aes128
esp=aes128
pfs=yes
left=x.y.237.28
leftsubnet=172.17.10.0/24
right=x.y.237.250
rightsubnet=172.19.0.0/16
auto=start
dpddelay=30
dpdtimeout=120
dpdaction=restart
conn haitecairit2
type=tunnel
auth=esp
authby=secret
ike=aes128
esp=aes128
pfs=yes
left=x.y.237.28
leftsubnet=172.17.10.0/24
right=x.y.237.250
rightsubnet=172.18.1.0/24
auto=start
dpddelay=30
dpdtimeout=120
dpdaction=restart
--
Dr. Michael Schwartzkopff
MultiNET Services GmbH
Addresse: Bretonischer Ring 7; 85630 Grasbrunn; Germany
Tel: +49 - 89 - 45 69 11 0
Fax: +49 - 89 - 45 69 11 21
mob: +49 - 174 - 343 28 75
mail: misch at multinet.de
web: www.multinet.de
Sitz der Gesellschaft: 85630 Grasbrunn
Registergericht: Amtsgericht München HRB 114375
Geschäftsführer: Günter Jurgeneit, Hubert Martens
---
PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B
Skype: misch42
_______________________________________________
Users at openswan.org
http://lists.openswan.org/mailman/listinfo/users
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
More information about the Users
mailing list