[Openswan Users] OS / Netkey multiple tunnels

Michael H. Warfield mhw at WittsEnd.com
Thu Oct 22 11:37:11 EDT 2009


On Mon, 2009-10-19 at 11:32 -0400, Paul Wouters wrote: 
> On Mon, 19 Oct 2009, Goffe, Don wrote:

> > I'm able to connect a single tunnel to my cisco3000 concentrator. This
> > in turn get assigned a subnet address that point to HOST1. When I try to
> > open another tunnel to the same concentrator so that I can get a
> > different subnet to HOST2 openswan seems to change the connection name
> > back to the first tunnel.
> >
> > 002 "OPENSWAN" #3 Aggressive mode peer ID is ID_IPV$_ADDR: 10.10.1.11
> > 002 "OPENSWAN" switched from "OPENSWAN" to "OPENSWAN1"
> >
> > Switching the order of the "conn OPENSWAN" and "conn OPENSWAN1"
> > statements in the ipsec.conf effects which connection actually is
> > allowed to connect.

> No, openswan has to pick a name for the phase1. Since both tunnels have
> the same phase1, openswan cannot always tell at the start which of the
> two conns this is. So it just picks one. Once you get to phase2 and the
> subnet is negotiated, it should "switch" to the right name.

That's always been a source of confusion and never ending debugging
heartburn since the earliest of the FreeSWAN days.  If the connection
name is picked arbitrarily and isn't significant, can't we just pick
something like "default" (which is already a special case) or "Phase1"
or "Phase 1" (space in name) so we can at least see it in the logs?  I
know it would seem to be "cosmetic" but it would cut down on the
confusion.  Does it have to be a legitimate valid connection that's
chosen at random or can it be a pseudo connection?

> Paul

Mike
-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
Url : http://lists.openswan.org/pipermail/users/attachments/20091022/4a224eb7/attachment.bin 


More information about the Users mailing list