[Openswan Users] redundant ipsec connections: route to peer's client conflicts with ... relesing old connection to free the route

Oguz Yilmaz oguzyilmazlist at gmail.com
Thu Jun 4 13:35:06 EDT 2009 

Configuration is below. If it is about the configuration, I would be
very glad to find the mistake.
Note: I have also tried without any dpd feature on both side.




CentralVPNServer config:


version 2.0

config setup
        interfaces="ipsec0=eth1"
        klipsdebug=none
        plutodebug=none
        nat_traversal=yes
        protostack=netkey


conn %default
        auto=add

conn peersite1_vpn3_over_adsl2
        authby=secret
        auth=esp
        esp=3des-sha1-96
        left=CENTRALIPADDR
        leftsubnet=172.17.0.0/24
        right=PEERIPADDR2
        rightsubnet=172.19.0.0/24
        leftnexthop=CENTRALIPNEXTHOP
        disablearrivalcheck=1
        pfs=no
        auto=start
        keyingtries=0
        keyexchange=ike
        keylife=28800s
        dpdaction=restart
        dpddelay=45
        dpdtimeout=120

conn peersite1_vpn1_over_adsl1
        authby=secret
        auth=esp
        esp=3des-sha1-96
        left=CENTRALIPADDR
        leftsubnet=10.0.0.0/8
        right=PEERIPADDR1
        rightsubnet=172.19.0.0/24
        leftnexthop=CENTRALIPNEXTHOP
        disablearrivalcheck=1
        pfs=no
        auto=start
        keyingtries=0
        keyexchange=ike
        keylife=28800s
        dpdaction=restart
        dpddelay=45
        dpdtimeout=120

conn peersite1_vpn2_over_adsl1
        authby=secret
        auth=esp
        esp=3des-sha1-96
        left=CENTRALIPADDR
        leftsubnet=172.16.0.0/24
        right=PEERIPADDR1
        rightsubnet=172.19.0.0/24
        leftnexthop=CENTRALIPNEXTHOP
        disablearrivalcheck=1
        pfs=no
        auto=start
        keyingtries=0
        keyexchange=ike
        keylife=28800s
        dpdaction=restart
        dpddelay=45
        dpdtimeout=120

include /etc/ipsec.d/*.conf






PeerSiteConfig:

version 2.0
config setup
        interfaces="ipsec0=ppp0 ipsec0=ppp1"
        klipsdebug=none
        plutodebug=none
        nat_traversal=yes
        uniqueids=yes

conn %default
        auto=add

conn vpn3-over-adsl2
        authby=secret
        esp=3des-sha1-96
        left=PEERIPADDR2
        leftsubnet=172.19.0.0/24
        leftnexthop=PEERNEXTHOP2
        right=CENTRALIPADDR
        rightsubnet=172.17.0.0/24
        auth=esp
        auto=start
        keylife=28800s
        keyexchange=ike
        pfs=no
        keyingtries=0
        disablearrivalcheck=0
        dpdaction=restart
        dpddelay=45
        dpdtimeout=120

conn vpn1-over-adsl1
        authby=secret
        esp=3des-sha1-96
        left=PEERIPADDR1
        leftsubnet=172.19.0.0/24
        leftnexthop=PEERNEXTHOP1
        right=CENTRALIPADDR
        rightsubnet=10.0.0.0/8
        auth=esp
        auto=start
        keylife=28800s
        keyexchange=ike
        pfs=no
        keyingtries=0
        disablearrivalcheck=0
        dpdaction=restart
        dpddelay=45
        dpdtimeout=120

conn vpn2-over-adsl1
        authby=secret
        esp=3des-sha1-96
        left=PEERIPADDR1
        leftsubnet=172.19.0.0/24
        leftnexthop=PEERNEXTHOP1
        right=CENTRALIPADDR
        rightsubnet=172.16.0.0/24
        auth=esp
        auto=start
        keylife=28800s
        keyexchange=ike
        pfs=no
        keyingtries=0
        disablearrivalcheck=0
        dpdaction=restart
        dpddelay=45
        dpdtimeout=120




2009/6/4 Paul Wouters <paul at xelerance.com>:
> On Thu, 4 Jun 2009, Oguz Yilmaz wrote:
>
> It should work, so I suspect a configuration issue somewhere.
>
> Paul
>
>> I have a problem with Openswan.
>> I got the message "route to peer's client conflicts with ..., relesing
>> old connection to free the route"
>> On the central vpn machine I have 3 ipsec connecstions:
>>
>> vpn1: 10.0.0.0/8 -> CentralVPNServer -> İnternetCloud -> İnternetDSL1
>> -> PeerSite1 (172.19.0.0/24)
>>
>> vpn2: 172.16.0.0/24 -> CentralVPNServer -> İnternetCloud ->
>> İnternetDSL2 -> PeerSite1 (172.19.0.0/24)
>>
>> vpn3: 172.17.0.0/24 -> CentralVPNServer -> İnternetCloud ->
>> İnternetDSL2 -> PeerSite1 (172.19.0.0/24)
>>
>>
>> As you can see PeerSite1 has 2 internet connections. Two of ipsecs are
>> through line 2, one of is through line 1.
>> I want to connect 3 networks behind CentralVPNServer to the peersite
>> over 2 peer internet lines.
>>
>> At a moment only connections coming over one of DSL lines are up. WHen
>> vpn2+vpn3 up, vpn1 comes and openswan drops vpn2+vpn3 and establish
>> vpn1. This continues as vice versa. In an unknown time (from 5 to 15
>> minutes) all of three vpns are established together).
>>
>> I think it is about the route which CentralVPNServer want to establish:
>>
>> What can you propose?
>>
>> Note: If I try leftsubnet=0.0.0.0;/0 on CentralVPNServer, it can not
>> match incoming VPN request with this definition.
>>
>> Openswan version: openswan-2.4.13
>> Kernel: 2.6.18
>> _______________________________________________
>> Users at openswan.org
>> http://lists.openswan.org/mailman/listinfo/users
>> Building and Integrating Virtual Private Networks with Openswan:
>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>>
>

More information about the Users mailing list