[Openswan Users] Some tunnels not established for multiple tunnels between same pair of gateways

Anirudh Kamatgi akamatgi at gmail.com
Tue Mar 24 10:15:45 EDT 2009 

Hi All,

I am trying to create a site-to-site vpn with openswan 2.6.20 on both
gateways.
There are multiple subnets behind both gateways and one connection per
subnet pair.

Through a script I am doing a "ipsec auto --add conn" for all the
connections on both gateways.
Then on one gateway I do "ipsec auto --asynchronous --up conn" for all the
connections.

Most of the connections come up fine. But a few of them get stuck in
STATE_QUICK_I1 on the gateway
which brought up the connection and the same connection in the peer will be
in STATE_QUICK_R1.
I am unable to figure out why the connection didn't get established.

ipsec auto --status on the initiating gateway:
----------------------------------------------------------------
000 "sample-37.37.37.0-31.31.16.0": 37.37.37.0/24===11.11.0.5
<11.11.0.5>[+S=C]...11.11.0.1<11.11.0.1>[+S=C]===31.31.16.0/24; unrouted;
eroute owner: #0
000 "sample-37.37.37.0-31.31.16.0":     myip=unset; hisip=unset;
myup=/home/product/code/firmware/current/bin/vpn_updown.pl;
hisup=/home/product/code/firmware/current/bin/vpn_updown.pl;
000 "sample-37.37.37.0-31.31.16.0":   ike_life: 3600s; ipsec_life: 28800s;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 10
000 "sample-37.37.37.0-31.31.16.0":   policy:
PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+lKOD+rKOD; prio: 24,24; interface:
eth2;
000 "sample-37.37.37.0-31.31.16.0":   dpd: action:restart; delay:20;
timeout:15;
000 "sample-37.37.37.0-31.31.16.0":   newest ISAKMP SA: #0; newest IPsec SA:
#0;
000 "sample-37.37.37.0-31.31.16.0":   IKE algorithms wanted:
3DES_CBC(5)_000-SHA1(2)-MODP1024(2); flags=-strict
000 "sample-37.37.37.0-31.31.16.0":   IKE algorithms found:
3DES_CBC(5)_192-SHA1(2)_160-2,
000 "sample-37.37.37.0-31.31.16.0":   ESP algorithms wanted:
3DES(3)_000-SHA1(2); pfsgroup=MODP1024(2);flags=-strict
000 "sample-37.37.37.0-31.31.16.0":   ESP algorithms loaded:
3DES(3)_192-SHA1(2)_160
000 #227: "sample-37.37.37.0-31.31.16.0":500 STATE_QUICK_I1 (sent QI1,
expecting QR1); EVENT_CRYPTO_FAILED in 300s; lastdpd=-1s(seq in:0 out:0);
idle; import:admin initiate

For the same connection on the peer gateway:
-------------------------------------------------------------------
000 "sample-31.31.16.0-37.37.37.0": 31.31.16.0/24===11.11.0.1
<11.11.0.1>[+S=C]...11.11.0.5<11.11.0.5>[+S=C]===37.37.37.0/24; unrouted;
eroute owner: #0
000 "sample-31.31.16.0-37.37.37.0":     myip=unset; hisip=unset;
myup=/home/product/code/firmware/current/bin/vpn_updown.pl;
hisup=/home/product/code/firmware/current/bin/vpn_updown.pl;
000 "sample-31.31.16.0-37.37.37.0":   ike_life: 3600s; ipsec_life: 28800s;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 10
000 "sample-31.31.16.0-37.37.37.0":   policy:
PSK+ENCRYPT+TUNNEL+PFS+IKEv2ALLOW+lKOD+rKOD; prio: 24,24;interface: eth1;
000 "sample-31.31.16.0-37.37.37.0":   dpd: action:restart; delay:20;
timeout:15;
000 "sample-31.31.16.0-37.37.37.0":   newest ISAKMP SA: #0; newest IPsec SA:
#0;
000 "sample-31.31.16.0-37.37.37.0":   IKE algorithms wanted:
3DES_CBC(5)_000-SHA1(2)-MODP1024(2); flags=-strict
000 "sample-31.31.16.0-37.37.37.0":   IKE algorithms found:
3DES_CBC(5)_192-SHA1(2)_160-2,
000 "sample-31.31.16.0-37.37.37.0":   ESP algorithms wanted:
3DES(3)_000-SHA1(2); pfsgroup=MODP1024(2);flags=-strict
000 "sample-31.31.16.0-37.37.37.0":   ESP algorithms loaded:
3DES(3)_192-SHA1(2)_160
000 #252: "sample-31.31.16.0-37.37.37.0":500 STATE_QUICK_R1 (sent QR1,
inbound IPsec SA installed, expecting QI2); EVENT_RETRANSMIT in 35s;
lastdpd=-1s(seq in:0 out:0); idle; import:not set

Any help is appreciated.
Thanks,
Anirudh
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20090324/29695a59/attachment.html

More information about the Users mailing list