[Openswan Users] OS / Netkey multiple tunnels with Juniper
Robert Bays
robert at gdk.org
Mon Oct 19 16:58:20 EDT 2009
This is similar to the recently posted topic "OS / Netkey multiple
tunnels". But I posted separately as I didn't want to hijack that
thread if they aren't the same issue.
I am currently troubleshooting multiple tunnel problems between
OpenSwan/netkey and a Juniper router. If I try to connect two tunnels
to the Juniper, whichever tunnel comes up last is the only tunnel that
works correctly. A packet dump of pings sent across the tunnels show
that outbound and inbound packets sent across the working tunnel have
the correct SPI in the packet headers. However, outbound packets sent
across the non-working tunnel (the first to be negotiated) have the
outbound SPI correct (i.e. set to the SPI of the first tunnel) but the
inbound responses from the Juniper have their SPI set to the SPI of the
second tunnel. So while the response packets are received and decrypted
upper layer processes never receive them. It looks like the Juniper
only ever sends back response packets with the SPI of the tunnel that
was negotiated last.
I can work around this problem using racoon if I set the rule level for
spdadd to 'require' instead of 'unique'. Is there a way to do this in
OpenSwan? Any help is appreciated. Thanks in advance.
cheers,
robert.
More information about the Users
mailing list