[Openswan Users] ISAKMP SA but no Ipsec SA for 2nd tunnel

Fri Mar 5 13:18:04 EST 2010

Hello,

I am trying a simple setup of 2 tunnels using PSK between 2 RHEL 5.3 boxes running openswan 2.6.14 version.  Each tunnel establishes (both the ISAKMP and Ipsec SA establish) individually, however, when I setup ipsec.conf to turn both on at the same time, only one establishes both the ISAKMP and Ipsec SA's, the other only establishes the ISAKMP SA and not the Ipsec SA.  

Here is the status output for each box:

Box 1:

000 #13: "ag01":500 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 123s; newest IPSEC; eroute owner; isakmp#11; idle; import:not set
000 #13: "ag01" esp.9ffd670c at 10.254.1.106 esp.157eed88 at 172.12.128.101 tun.0 at 10.254.1.106 tun.0 at 172.12.128.101 ref=0 refhim=4294901761
000 #11: "ag01":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 402s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:not set
000 #10: "ag01":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 15s; isakmp#8; idle; import:admin initiate
000 #10: "ag01" esp.1107a7c1 at 10.254.1.106 esp.f32ab75f at 172.12.128.101 tun.0 at 10.254.1.106 tun.0 at 172.12.128.101 ref=0 refhim=4294901761
000 #8: "ag01":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 301s; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
000 #4: "ag02":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 126s; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
000 #16: "ag02":500 STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_RETRANSMIT in 9s; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
000 #14: "ag02":500 STATE_QUICK_R1 (sent QR1, inbound IPsec SA installed, expecting QI2); EVENT_RETRANSMIT in 4s; lastdpd=-1s(seq in:0 out:0); idle; import:not set
000 #12: "ag02":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 422s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
000

Box 2:

000 #29: "ag01":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 73s; newest IPSEC; eroute owner; isakmp#12; idle; import:admin initiate
000 #29: "ag01" esp.3fa588e9 at 172.12.128.101 esp.93193cac at 10.254.1.106 tun.0 at 172.12.128.101 tun.0 at 10.254.1.106 ref=0 refhim=4294901761
000 #24: "ag01":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_EXPIRE in 148s; isakmp#12; idle; import:admin initiate
000 #24: "ag01" esp.6f841552 at 172.12.128.101 esp.acf4efb3 at 10.254.1.106 tun.0 at 172.12.128.101 tun.0 at 10.254.1.106 ref=0 refhim=4294901761
000 #21: "ag01":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_EXPIRE in 64s; isakmp#12; idle; import:admin initiate
000 #21: "ag01" esp.209dc650 at 172.12.128.101 esp.c7463ad5 at 10.254.1.106 tun.0 at 172.12.128.101 tun.0 at 10.254.1.106 ref=0 refhim=4294901761
000 #12: "ag01":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 62s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
000 #9: "ag01":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 103s; lastdpd=-1s(seq in:0 out:0); idle; import:not set
000 #4: "ag02":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 22s; lastdpd=-1s(seq in:0 out:0); idle; import:not set
000 #28: "ag02":500 STATE_QUICK_R0 (expecting QI1); EVENT_CRYPTO_FAILED in 269s; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
000 #26: "ag02":500 STATE_QUICK_R0 (expecting QI1); EVENT_CRYPTO_FAILED in 197s; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
000 #23: "ag02":500 STATE_QUICK_R0 (expecting QI1); EVENT_CRYPTO_FAILED in 124s; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
000 #20: "ag02":500 STATE_QUICK_R0 (expecting QI1); EVENT_CRYPTO_FAILED in 47s; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
000 #16: "ag02":500 STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_CRYPTO_FAILED in 287s; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
000 #13: "ag02":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 7s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
000

Am I missing something obvious?

-Deepak