[Openswan Users] Major problems with multiple tunnels on Fedora 11

Paul Wouters paul at xelerance.com
Fri Jun 26 22:36:54 EDT 2009

On Sat, 27 Jun 2009, Marek Greško wrote:

>> I probably found an answer to my question:
>> https://gsoc.xelerance.com/issues/973
>> Isn't it the issue I am observing?
>> Marek
> I created a copy of tunnel definitions with
> leftsubnet=vhost:%no
> I don't know why, but it looks like whether I use nat or not, always is used
> this connection with vhost:%no and never vhost:%no,%priv.
> But it works!!

It is picked, but you don't see it because it picks a random name for
phase 1 (where the two are indistinguishable)

> The only issue I am now stuggling with is this:
> I have USB 3G modem connected with static public IP address to an Win XP
> client which uses IPsec without NAT to an static public IP address range. When
> I disconnect the modem, connect it to my Linux box without IPsec configured and
> try to connect to the same IP range I get no answer until restart of IPsec on
> the remote gateway. I understand what is going on. The remote gateway holds
> the IPsec policy and tries to communicate through previously created IPsec
> tunnel. But I have DPD (with policy clear) configured and the tunnel never
> stops. Isn't the DPD intended to be used to put down the tunnel when the
> oposite side does not use it?

DPD only works if both ends support it. AFAIK, Windows XP does not support DPD.

However, if you have uniqueids=yes,then setting up a new connection from a
different IP should always replace the old connection. There is a specific
"udp port 500 hole" for this. That is, the "drop all unencrypted" traffic
excludes unencrypted udp 500 for this exact reason.


More information about the Users mailing list