[Openswan Users] Some tunnels not established for multiple tunnels between same pair of gateways

Anirudh Kamatgi akamatgi at gmail.com
Mon Mar 30 10:16:23 EDT 2009 

On Tue, Mar 24, 2009 at 7:45 PM, Anirudh Kamatgi <akamatgi at gmail.com> wrote:

> Hi All,
>
> I am trying to create a site-to-site vpn with openswan 2.6.20 on both
> gateways.
> There are multiple subnets behind both gateways and one connection per
> subnet pair.
>
> Through a script I am doing a "ipsec auto --add conn" for all the
> connections on both gateways.
> Then on one gateway I do "ipsec auto --asynchronous --up conn" for all the
> connections.
>
> Most of the connections come up fine. But a few of them get stuck in
> STATE_QUICK_I1 on the gateway
> which brought up the connection and the same connection in the peer will be
> in STATE_QUICK_R1.
> I am unable to figure out why the connection didn't get established.
>
> ipsec auto --status on the initiating gateway:
> ----------------------------------------------------------------
> 000 "sample-37.37.37.0-31.31.16.0": 37.37.37.0/24===11.11.0.5
> <11.11.0.5>[+S=C]...11.11.0.1<11.11.0.1>[+S=C]===31.31.16.0/24; unrouted;
> eroute owner: #0
> 000 "sample-37.37.37.0-31.31.16.0":     myip=unset; hisip=unset;
> myup=/home/product/code/firmware/current/bin/vpn_updown.pl;
> hisup=/home/product/code/firmware/current/bin/vpn_updown.pl;
> 000 "sample-37.37.37.0-31.31.16.0":   ike_life: 3600s; ipsec_life: 28800s;
> rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 10
> 000 "sample-37.37.37.0-31.31.16.0":   policy:
> PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+lKOD+rKOD; prio: 24,24; interface:
> eth2;
> 000 "sample-37.37.37.0-31.31.16.0":   dpd: action:restart; delay:20;
> timeout:15;
> 000 "sample-37.37.37.0-31.31.16.0":   newest ISAKMP SA: #0; newest IPsec
> SA: #0;
> 000 "sample-37.37.37.0-31.31.16.0":   IKE algorithms wanted:
> 3DES_CBC(5)_000-SHA1(2)-MODP1024(2); flags=-strict
> 000 "sample-37.37.37.0-31.31.16.0":   IKE algorithms found:
> 3DES_CBC(5)_192-SHA1(2)_160-2,
> 000 "sample-37.37.37.0-31.31.16.0":   ESP algorithms wanted:
> 3DES(3)_000-SHA1(2); pfsgroup=MODP1024(2);flags=-strict
> 000 "sample-37.37.37.0-31.31.16.0":   ESP algorithms loaded:
> 3DES(3)_192-SHA1(2)_160
> 000 #227: "sample-37.37.37.0-31.31.16.0":500 STATE_QUICK_I1 (sent QI1,
> expecting QR1); EVENT_CRYPTO_FAILED in 300s; lastdpd=-1s(seq in:0 out:0);
> idle; import:admin initiate
>
> For the same connection on the peer gateway:
> -------------------------------------------------------------------
> 000 "sample-31.31.16.0-37.37.37.0": 31.31.16.0/24===11.11.0.1
> <11.11.0.1>[+S=C]...11.11.0.5<11.11.0.5>[+S=C]===37.37.37.0/24; unrouted;
> eroute owner: #0
> 000 "sample-31.31.16.0-37.37.37.0":     myip=unset; hisip=unset;
> myup=/home/product/code/firmware/current/bin/vpn_updown.pl;
> hisup=/home/product/code/firmware/current/bin/vpn_updown.pl;
> 000 "sample-31.31.16.0-37.37.37.0":   ike_life: 3600s; ipsec_life: 28800s;
> rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 10
> 000 "sample-31.31.16.0-37.37.37.0":   policy:
> PSK+ENCRYPT+TUNNEL+PFS+IKEv2ALLOW+lKOD+rKOD; prio: 24,24;interface: eth1;
> 000 "sample-31.31.16.0-37.37.37.0":   dpd: action:restart; delay:20;
> timeout:15;
> 000 "sample-31.31.16.0-37.37.37.0":   newest ISAKMP SA: #0; newest IPsec
> SA: #0;
> 000 "sample-31.31.16.0-37.37.37.0":   IKE algorithms wanted:
> 3DES_CBC(5)_000-SHA1(2)-MODP1024(2); flags=-strict
> 000 "sample-31.31.16.0-37.37.37.0":   IKE algorithms found:
> 3DES_CBC(5)_192-SHA1(2)_160-2,
> 000 "sample-31.31.16.0-37.37.37.0":   ESP algorithms wanted:
> 3DES(3)_000-SHA1(2); pfsgroup=MODP1024(2);flags=-strict
> 000 "sample-31.31.16.0-37.37.37.0":   ESP algorithms loaded:
> 3DES(3)_192-SHA1(2)_160
> 000 #252: "sample-31.31.16.0-37.37.37.0":500 STATE_QUICK_R1 (sent QR1,
> inbound IPsec SA installed, expecting QI2); EVENT_RETRANSMIT in 35s;
> lastdpd=-1s(seq in:0 out:0); idle; import:not set
>
> Any help is appreciated.
> Thanks,
> Anirudh


Hi all,
I am still not able to resolve the above issue.
If anybody can give some clue regarding this, it will be very much
appreciated.
Thanks in advance,
-anirudh
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20090330/c22e2abf/attachment.html

More information about the Users mailing list