[Openswan Users] ISAKMP SA but no Ipsec SA for 2nd tunnel
Avesh Agarwal
avagarwa at redhat.com
Fri Mar 5 15:29:21 EST 2010
On 03/05/2010 03:22 PM, Gupta, Deepak (Deepak) wrote:
> Hi All,
>
> I also found out that if each of these tunnels is brought up one at a time the second one fails with:
>
> [root at proto1 ipsec.d]# ipsec auto --up ag01
> 104 "ag01" #3: STATE_MAIN_I1: initiate
> 003 "ag01" #3: received Vendor ID payload [Openswan (this version) 2.6.14 ]
> 003 "ag01" #3: received Vendor ID payload [Dead Peer Detection]
> 106 "ag01" #3: STATE_MAIN_I2: sent MI2, expecting MR2
> 108 "ag01" #3: STATE_MAIN_I3: sent MI3, expecting MR3
> 003 "ag01" #3: received Vendor ID payload [CAN-IKEv2]
> 004 "ag01" #3: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_sha group=modp2048}
> 117 "ag01" #4: STATE_QUICK_I1: initiate
> 003 "ag01" #4: cannot route -- route already in use for "ag02"
> 032 "ag01" #4: STATE_QUICK_I1: internal error
> 003 "ag01" #4: cannot route -- route already in use for "ag02"
> 032 "ag01" #4: STATE_QUICK_I1: internal error
> 003 "ag01" #4: cannot route -- route already in use for "ag02"
> 032 "ag01" #4: STATE_QUICK_I1: internal error
> 003 "ag01" #4: cannot route -- route already in use for "ag02"
> 032 "ag01" #4: STATE_QUICK_I1: internal error
>
>
> > From what I can tell this is fixed in 2.6.19
> * Patch for "route already in use" when using two different IP's
> to talk to the same remote IP using two tunnels
>
> If this is correct, then does this version of openswan require a specific version of the redhat kernel or can I
> Install either 2.6.19 or 2.6.21 on a RHEL 5.3 kernel?
>
I assume that it should work fine if you are using NETKEY.
Avesh
> Many thanks for your input,
>
> -Deepak
>
>
>
> -----Original Message-----
> From: Gupta, Deepak (Deepak)
> Sent: Friday, March 05, 2010 1:18 PM
> To: 'users at openswan.org'
> Subject: ISAKMP SA but no Ipsec SA for 2nd tunnel
>
>
>
> Hello,
>
> I am trying a simple setup of 2 tunnels using PSK between 2 RHEL 5.3 boxes running openswan 2.6.14 version. Each tunnel establishes (both the ISAKMP and Ipsec SA establish) individually, however, when I setup ipsec.conf to turn both on at the same time, only one establishes both the ISAKMP and Ipsec SA's, the other only establishes the ISAKMP SA and not the Ipsec SA.
>
> Here is the status output for each box:
>
> Box 1:
>
> 000 #13: "ag01":500 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 123s; newest IPSEC; eroute owner; isakmp#11; idle; import:not set 000 #13: "ag01" esp.9ffd670c at 10.254.1.106 esp.157eed88 at 172.12.128.101 tun.0 at 10.254.1.106 tun.0 at 172.12.128.101 ref=0 refhim=4294901761 000 #11: "ag01":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 402s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:not set 000 #10: "ag01":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 15s; isakmp#8; idle; import:admin initiate 000 #10: "ag01" esp.1107a7c1 at 10.254.1.106 esp.f32ab75f at 172.12.128.101 tun.0 at 10.254.1.106 tun.0 at 172.12.128.101 ref=0 refhim=4294901761 000 #8: "ag01":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 301s; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate 000 #4: "ag02":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 126s; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate 000
> #16: "ag02":500 STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_RETRANSMIT in 9s; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate 000 #14: "ag02":500 STATE_QUICK_R1 (sent QR1, inbound IPsec SA installed, expecting QI2); EVENT_RETRANSMIT in 4s; lastdpd=-1s(seq in:0 out:0); idle; import:not set 000 #12: "ag02":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 422s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate 000
>
> Box 2:
>
> 000 #29: "ag01":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 73s; newest IPSEC; eroute owner; isakmp#12; idle; import:admin initiate 000 #29: "ag01" esp.3fa588e9 at 172.12.128.101 esp.93193cac at 10.254.1.106 tun.0 at 172.12.128.101 tun.0 at 10.254.1.106 ref=0 refhim=4294901761 000 #24: "ag01":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_EXPIRE in 148s; isakmp#12; idle; import:admin initiate 000 #24: "ag01" esp.6f841552 at 172.12.128.101 esp.acf4efb3 at 10.254.1.106 tun.0 at 172.12.128.101 tun.0 at 10.254.1.106 ref=0 refhim=4294901761 000 #21: "ag01":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_EXPIRE in 64s; isakmp#12; idle; import:admin initiate 000 #21: "ag01" esp.209dc650 at 172.12.128.101 esp.c7463ad5 at 10.254.1.106 tun.0 at 172.12.128.101 tun.0 at 10.254.1.106 ref=0 refhim=4294901761 000 #12: "ag01":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 62s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate 000 #9
> : "ag01":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 103s; lastdpd=-1s(seq in:0 out:0); idle; import:not set 000 #4: "ag02":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 22s; lastdpd=-1s(seq in:0 out:0); idle; import:not set 000 #28: "ag02":500 STATE_QUICK_R0 (expecting QI1); EVENT_CRYPTO_FAILED in 269s; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate 000 #26: "ag02":500 STATE_QUICK_R0 (expecting QI1); EVENT_CRYPTO_FAILED in 197s; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate 000 #23: "ag02":500 STATE_QUICK_R0 (expecting QI1); EVENT_CRYPTO_FAILED in 124s; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate 000 #20: "ag02":500 STATE_QUICK_R0 (expecting QI1); EVENT_CRYPTO_FAILED in 47s; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate 000 #16: "ag02":500 STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_CRYPTO_FAILED in 287s; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate 000 #13:
> "ag02":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 7s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate 000
>
> Am I missing something obvious?
>
> -Deepak
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
More information about the Users
mailing list