[Openswan Users] Major problems with multiple tunnels on Fedora 11
Paul Wouters
paul at xelerance.com
Fri Jun 26 12:09:51 EDT 2009
On Fri, 26 Jun 2009, Marek Greško wrote:
> since I upgraded from F10 (openswan-2.6.19) to F11
> (openswan-2.6.21+nss.patch) I have problems to instantiate multiple
> tunnels between the gateway and the roadwarrior. Prior to upgrade
> everything worked. Except from some time ipsec.exe on Windows XP
> instantiates only the first tunnel it finds (it used to work before). My
> question is not about that but if anybody knows I will be happy on any
> advice on that.
ipsec.exe is a really old tool. ipsectool is newer, but AFAIK only works
for one tunnel. Openswan could be ported to Windows, though really only
on the newer ones with the netsh command (Vista and up I believe?)
> Windows XP instantiates tunnel B.
>
> I get this in the log:
> Jun 26 11:02:42 gw pluto[15235]: "A"[1] WinpublicIP #94: the peer
> proposed: Brightiprange:0/0 -> WinpublicIP:0/0
> Jun 26 11:02:42 gw pluto[15235]: "A"[1] WinpublicIP #94: peer proposal
> was reject in a virtual connection policy because:
> Jun 26 11:02:42 gw pluto[15235]: "A"[1] WinpublicIP #94: a private
> network virtual IP was required, but the proposed IP did not match our
> list (virtual_private=)
> ... this is probably due to public ip on windows without NAT and is
> probably harmless, am I right?
I cannot really read this with the information hiding. If it tried to
propose with 0.0.0.0/0 its clearly wrong. If it is not behind nat, you
prob don't have rightsubnet=vhost containing "%no" (for non nat) or if
you are behind nat, and have rightsubnet=vhost:%no,%priv, then the internal
range of the client is not part of virtual_private=
> The problem arises when gw thinks Windos is trying to instantiate tunnel
> A, not B. How can I override this? It used to work before upgrade.
Since the phase 1 for A and B are the same, you are misled in thinking
the gateway is mistaken. When doing phase1 there is no difference, so the
connection name it picks can be iether one of the two. Once it gets to
phase 2, it should switch to the right conn.
Paul
More information about the Users
mailing list