[Openswan Users] Openswan 2.4.13 - multiple tunnels problem

Paul Wouters paul at xelerance.com
Tue Feb 9 11:33:33 EST 2010 

On Mon, 8 Feb 2010, Maverick wrote:

> Date: Mon, 8 Feb 2010 23:56:27 -0000
> From: Maverick <maverick.pt at gmail.com>
> To: users at openswan.org
> Subject: [Openswan Users] Openswan 2.4.13 - multiple tunnels problem

I don't see any errors in your configuration. Double check your NAT/firewall rules?
Try upgrading to 2.4.15? or 2.6.24?

Paul

> 
> Hi,
> 
> I’ve an Endian Firewall 2.3 that is running openswan 2.4.13, and I’ve configured it to connect to other office cisco firewall
> 
>  
> 
> The other side only gives me access to 2 IPs not all subnet, my problem is that the 2 tunnels come up ok but only the second one
> has acess to my leftsubnet.
> 
>  
> 
> Both 10.112.32.78 and 10.112.32.70 can ping any ip on 192.168.2.0/24, but only 10.112.32.70 can really connect to any port of any
> ip on 192.168.2.0/24, it seems that the last tunnel to come up is the one that gets access to my network, this problem won’t happen
> on 2.6.x, but is difficult to change to a new version on this system because the kernel has the old nat-t patch applied.
> 
>  
> 
> Any configuration I can make to avoid this problem?
> 
>  
> 
> This is my current configuration :
> 
>  
> 
> conn VDBSERVER
> 
>         dpdaction=restart
> 
>         dpddelay=30
> 
>         dpdtimeout=120
> 
>         left=my public ip
> 
>         leftnexthop=%defaultroute
> 
>         leftsubnet=192.168.2.0/24
> 
>         leftsourceip=192.168.2.254
> 
>         right=cisco public ip
> 
>         rightsubnet=10.112.32.78/32
> 
>         rightnexthop=%defaultroute
> 
>         leftid=my public ip
> 
>         rightid=cisco public ip
> 
>         authby=secret
> 
>         pfs=yes
> 
>         ikelifetime=1h
> 
>         keylife=8h
> 
>         ike=aes256-sha-modp1024
> 
>         esp=aes256-sha1
> 
>         auto=start
> 
>  
> 
> conn VTSERVER
> 
>         dpdaction=restart
> 
>         dpddelay=30
> 
>         dpdtimeout=120
> 
>         left=my public ip
> 
>         leftnexthop=%defaultroute
> 
>         leftsubnet=192.168.2.0/24
> 
>         leftsourceip=192.168.2.254
> 
>         right=cisco public ip
> 
>         rightsubnet=10.112.32.70/32
> 
>         rightnexthop=%defaultroute
> 
>         leftid=my public ip
> 
>         rightid=cisco public ip
> 
>         authby=secret
> 
>         pfs=yes
> 
>         ikelifetime=1h
> 
>         keylife=8h
> 
>         ike=aes256-sha-modp1024
> 
>         esp=aes256-sha1
> 
>         auto=start
> 
> 
>

More information about the Users mailing list