[Openswan Users] Major problems with multiple tunnels on Fedora 11

Fri Jun 26 07:16:20 EDT 2009

Hello,

since I upgraded from F10 (openswan-2.6.19) to F11 (openswan-2.6.21+nss.patch) 
I have problems to instantiate multiple tunnels between the gateway and the 
roadwarrior. Prior to upgrade everything worked. Except from some time 
ipsec.exe on Windows XP instantiates only the first tunnel it finds (it used to 
work before). My question is not about that but if anybody knows I will be 
happy on any advice on that.

The real problem is this:

I have configured tunnel A and B on gateway. They differ only in the rightsubnet 
behind gateway. They are loaded in the order A and B on the gw side.

Windows XP instantiates tunnel B.

I get this in the log:

Jun 26 11:02:42 gw pluto[15235]: "X"[3] WinpublicIP #94: Main mode peer ID is 
ID_DER_ASN1_DN: 'WinID'
Jun 26 11:02:42 gw pluto[15235]: "X"[3] WinpublicIP #94: switched from "X" to 
"A"
Jun 26 11:02:42 gw pluto[15235]: "A"[1] WinpublicIP #94: I am sending my cert
Jun 26 11:02:42 gw pluto[15235]: "A"[1] WinpublicIP #94: transition from state 
STATE_MAIN_R2 to state STATE_MAIN_R3
Jun 26 11:02:42 gw pluto[15235]: "A"[1] WinpublicIP #94: STATE_MAIN_R3: sent 
MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 
prf=oakley_sha group=modp1024}
Jun 26 11:02:42 gw pluto[15235]: "A"[1] WinpublicIP #94: the peer proposed: 
Brightiprange:0/0 -> WinpublicIP:0/0
Jun 26 11:02:42 gw pluto[15235]: "A"[1] WinpublicIP #94: peer proposal was 
reject in a virtual connection policy because:
Jun 26 11:02:42 gw pluto[15235]: "A"[1] WinpublicIP #94:   a private network 
virtual IP was required, but the proposed IP did not match our list 
(virtual_private=)
... this is probably due to public ip on windows without NAT and is probably 
harmless, am I right?
Jun 26 11:02:42 gw pluto[15235]: "A"[1] WinpublicIP #94: cannot respond to 
IPsec SA request because no connection is known for 
Brightsubnet===gwpublicip<gwpublicip>[...gwID...,
+S=C]...WinpublicIP[...WinID...,+S=C]
Jun 26 11:02:42 gw pluto[15235]: "A"[1] WinpublicIP #94: sending encrypted 
notification INVALID_ID_INFORMATION to WinpublicIP:500

The problem arises when gw thinks Windos is trying to instantiate tunnel A, 
not B. How can I override this? It used to work before upgrade.

Old log, when it worked:

Jun 24 01:36:03 gw pluto[7102]: "A"[1] WinpublicIP #1: the peer proposed: 
Brightsubnet:0/0 -> WindowsIPbehindNAT:0/0

... this time the windows was NAT-ted ...

Jun 24 01:36:03 gw pluto[7102]: "B"[1] WinrouterpublicIP #2: responding to 
Quick Mode proposal {msgid:......}

... it fluently switched from tunnel A to B.

Any help appreciated.

Thank you.

-- 
Marek Greško

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20090626/8d6f5db0/attachment.html 