[Openswan Users] OS / Netkey multiple tunnels

[Goffe, Don]

I have confirmed that this is an OSwan issue. By using only one
connection (commenting out the other) in my ipsec.conf table I can
connect as either "dgoffe" or "greg". Having two closely configured
connections where the left, leftsubnet, leftnexthop and right are the
same except for the rightsubnet 10.3.15.0/24 on one and 10.3.16.0/24 on
the other causes swan to choose the incorrect connection name and
generate the wrong hash.  See last email for config files.

Thanks

-----Original Message-----
From: Paul Wouters [mailto:paul at xelerance.com] 
Sent: Monday, October 19, 2009 11:33 AM
To: Goffe, Don
Cc: Walter Willis; users at openswan.org
Subject: Re: OS / Netkey multiple tunnels

On Mon, 19 Oct 2009, Goffe, Don wrote:

> I'm able to connect a single tunnel to my cisco3000 concentrator. This
> in turn get assigned a subnet address that point to HOST1. When I try
to
> open another tunnel to the same concentrator so that I can get a
> different subnet to HOST2 openswan seems to change the connection name
> back to the first tunnel.
>
> 002 "OPENSWAN" #3 Aggressive mode peer ID is ID_IPV$_ADDR: 10.10.1.11
> 002 "OPENSWAN" switched from "OPENSWAN" to "OPENSWAN1"
>
> Switching the order of the "conn OPENSWAN" and "conn OPENSWAN1"
> statements in the ipsec.conf effects which connection actually is
> allowed to connect.

No, openswan has to pick a name for the phase1. Since both tunnels have
the same phase1, openswan cannot always tell at the start which of the
two conns this is. So it just picks one. Once you get to phase2 and the
subnet is negotiated, it should "switch" to the right name.

Paul
CONFIDENTIALITY NOTICE: The contents of this email are confidential
and for the exclusive use of the intended recipient. If you receive this
email in error, please delete it from your system immediately and 
notify us either by email, telephone or fax. You should not copy,
forward, or otherwise disclose the content of the email.