[Openswan Users] multiple subnet with freeswan and openswan, first both are up, then one is down

Laurent Jouannic laurent.jouannic at cbsa.fr
Wed Mar 24 04:57:02 EDT 2010 

Hi to the ML,

I want to setup multiple subnet between  an openswan and a freeswan gw
First, both VPN are UP, but after a certain time the second VPN is down.


Here is my configuration:

conn tunna:  
subnetA(192.168.a.0)--------[freeswan]----0.0.0.0----[openswan]------subnetC(192.168.c.0)
conn tunnb:  
subnetB(192.168.b.0)--------[freeswan]----0.0.0.0----[openswan]------subnetC(192.168.b.0)

So I use:
conn tunn:  [freeswan]----0.0.0.0----[openswan]
whith the 'also' ipsec command.



ipsec.conf
----------

[openswan]
config setup
        nhelpers=0

conn tunna
        leftsubnet=192.168.c.0/24
        rightsubnet=192.168.a.0/24
        also=tunn

conn tunnb
        leftsubnet=192.168.c.0/24
        rightsubnet=192.168.b.0/24
        also=tunn

conn tunn
        left=$IpLeft
        leftnexthop=$IPleftNextHop
        right=$IpRight
        rightnexthop=$IpRightNextHop
        auto=start
        authby=rsasig
        leftid=@c.tunn.com
        rightid=@ab.tunn.com
        ike=aes256-md5-modp1536
        esp=aes256-md5
        keyexchange=ike
        ikelifetime=1h
        keylife=1h
        keyingtries=3
        auth=esp
        leftrsasigkey=0s1.....==
        rightrsasigkey=0s2....==

include /etc/ipsec.d/examples/no_oe.conf

[freeswan]
conn tunna
        leftsubnet=192.168.a.0/24
        rightsubnet=192.168.c.0/24
        also=tunn

conn tunnb
        leftsubnet=192.168.b.0/24
        rightsubnet=192.168.c.0/24
        also=tunn

conn tunn
        left=$IpLeft
        leftnexthop=$IPleftNextHop
        right=$IpRight
        rightnexthop=$IpRightNextHop
        auto=start
        authby=rsasig
        ike=aes256-md5-modp1536
        esp=aes256-md5
        keyexchange=ike
        keyingtries=3
        ikelifetime=1h
        keylife=1h
        auth=esp
        leftid=@ab.tunn.com
        rightid=@c.tunn..com
        leftrsasigkey=0s2
        rightrsasigkey=0s1


first, all tunnel are up, but after a certain laps of time:
-both tunnel are up on freeswan side
-only one tunne is up on openswan side

Mar 24 07:01:31 fw2 pluto[20611]: "tunnb" #11: STATE_QUICK_R2: IPsec SA 
established {ESP=>0xda27d683 <0xcccaaf13 xfrm=AES_256-HMAC_MD5 
IPCOMP=>0x0000cb30 <0x0000d068 NATD=none DPD=none}
Mar 24 07:07:45 fw2 pluto[20611]: "tunnb" #13: initiating Main Mode to 
replace #9
Mar 24 07:07:45 fw2 pluto[20611]: "tunnb" #13: received Vendor ID 
payload [draft-ietf-ipsec-nat-t-ike-03] method set to=108
Mar 24 07:07:45 fw2 pluto[20611]: "tunnb" #13: enabling possible 
NAT-traversal with method RFC 3947 (NAT-Traversal)
Mar 24 07:07:45 fw2 pluto[20611]: "tunnb" #13: transition from state 
STATE_MAIN_I1 to state STATE_MAIN_I2
Mar 24 07:07:45 fw2 pluto[20611]: "tunnb" #13: STATE_MAIN_I2: sent MI2, 
expecting MR2
Mar 24 07:07:45 fw2 pluto[20611]: "tunnb" #13: I did not send a 
certificate because I do not have one.
Mar 24 07:07:45 fw2 pluto[20611]: "tunnb" #13: NAT-Traversal: Result 
using draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected
Mar 24 07:07:45 fw2 pluto[20611]: "tunnb" #13: transition from state 
STATE_MAIN_I2 to state STATE_MAIN_I3
Mar 24 07:07:45 fw2 pluto[20611]: "tunnb" #13: STATE_MAIN_I3: sent MI3, 
expecting MR3
Mar 24 07:07:45 fw2 pluto[20611]: "tunnb" #13: Main mode peer ID is 
ID_FQDN: '@ab.tunn.com'
Mar 24 07:07:45 fw2 pluto[20611]: "tunnb" #13: transition from state 
STATE_MAIN_I3 to state STATE_MAIN_I4
Mar 24 07:07:45 fw2 pluto[20611]: "tunnb" #13: STATE_MAIN_I4: ISAKMP SA 
established {auth=OAKLEY_RSA_SIG cipher=aes_256 prf=oakley_md5 
group=modp1536}
*Mar 24 07:18:04 fw2 pluto[20611]: "tunnb" #13: ignoring Delete SA 
payload: PROTO_IPSEC_ESP SA(0xda27d67d) not found (maybe expired)
Mar 24 07:18:04 fw2 pluto[20611]: "tunnb" #13: received and ignored 
informational message
Mar 24 07:18:29 fw2 pluto[20611]: "tunnb" #13: ignoring Delete SA 
payload: PROTO_IPSEC_ESP SA(0xda27d67e) not found (maybe expired)
Mar 24 07:18:29 fw2 pluto[20611]: "tunnb" #13: received and ignored 
informational message
Mar 24 07:19:27 fw2 pluto[20611]: "tunnb" #13: ignoring Delete SA 
payload: PROTO_IPSEC_ESP SA(0xda27d67f) not found (maybe expired)
Mar 24 07:19:27 fw2 pluto[20611]: "tunnb" #13: received and ignored 
informational message*
Mar 24 07:52:02 fw2 pluto[20611]: "tunnb" #15: responding to Quick Mode 
{msgid:2df8ae0c}
Mar 24 07:52:02 fw2 pluto[20611]: "tunnb" #15: transition from state 
STATE_QUICK_R0 to state STATE_QUICK_R1
Mar 24 07:52:02 fw2 pluto[20611]: "tunnb" #15: STATE_QUICK_R1: sent QR1, 
inbound IPsec SA installed, expecting QI2
Mar 24 07:52:02 fw2 pluto[20611]: "tunnb" #15: transition from state 
STATE_QUICK_R1 to state STATE_QUICK_R2
Mar 24 07:52:02 fw2 pluto[20611]: "tunnb" #15: STATE_QUICK_R2: *IPsec SA 
established *{ESP=>0xda27d68c <0xf2297cdd xfrm=AES_256-HMAC_MD5 
IPCOMP=>0x0000cb31 <0x0000354f NATD=none DPD=none}
Mar 24 07:52:49 fw2 pluto[20611]: "tunnb" #17: initiating Main Mode to 
replace #13
Mar 24 07:52:49 fw2 pluto[20611]: "tunnb" #17: received Vendor ID 
payload [draft-ietf-ipsec-nat-t-ike-03] method set to=108
Mar 24 07:52:49 fw2 pluto[20611]: "tunnb" #17: enabling possible 
NAT-traversal with method RFC 3947 (NAT-Traversal)
Mar 24 07:52:49 fw2 pluto[20611]: "tunnb" #17: transition from state 
STATE_MAIN_I1 to state STATE_MAIN_I2
Mar 24 07:52:49 fw2 pluto[20611]: "tunnb" #17: STATE_MAIN_I2: sent MI2, 
expecting MR2
Mar 24 07:52:49 fw2 pluto[20611]: "tunnb" #17: I did not send a 
certificate because I do not have one.
Mar 24 07:52:49 fw2 pluto[20611]: "tunnb" #17: NAT-Traversal: Result 
using draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected
Mar 24 07:52:49 fw2 pluto[20611]: "tunnb" #17: transition from state 
STATE_MAIN_I2 to state STATE_MAIN_I3
Mar 24 07:52:49 fw2 pluto[20611]: "tunnb" #17: STATE_MAIN_I3: sent MI3, 
expecting MR3
Mar 24 07:52:49 fw2 pluto[20611]: "tunnb" #17: Main mode peer ID is 
ID_FQDN: '@ab.tunn.com'
Mar 24 07:52:49 fw2 pluto[20611]: "tunnb" #17: transition from state 
STATE_MAIN_I3 to state STATE_MAIN_I4
Mar 24 07:52:49 fw2 pluto[20611]: "tunnb" #17: STATE_MAIN_I4: *ISAKMP SA 
established *{auth=OAKLEY_RSA_SIG cipher=aes_256 prf=oakley_md5 
group=modp1536}
*Mar 24 08:01:19 fw2 pluto[20611]: "tunnb" #17: ignoring Delete SA 
payload: PROTO_IPSEC_ESP SA(0xda27d682) not found (maybe expired)
Mar 24 08:01:19 fw2 pluto[20611]: "tunnb" #17: received and ignored 
informational message
Mar 24 08:01:32 fw2 pluto[20611]: "tunnb" #17: ignoring Delete SA 
payload: PROTO_IPSEC_ESP SA(0xda27d683) not found (maybe expired)
Mar 24 08:01:32 fw2 pluto[20611]: "tunnb" #17: received and ignored 
informational message
Mar 24 08:06:38 fw2 pluto[20611]: "tunnb" #17: ignoring Delete SA 
payload: PROTO_IPSEC_ESP SA(0xda27d687) not found (maybe expired)
Mar 24 08:06:38 fw2 pluto[20611]: "tunnb" #17: received and ignored 
informational message*

I got multiple:
ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0xda27d682) not found 
(maybe expired)

if I do:
ipsec auto --up tunnb

then tunnb is up again...

What could I do instead of a crontabl 'ipsec auto --up tunnb'  ?
Or what is wrong?

Cheers.

laurent.





   

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20100324/1c534a45/attachment-0001.html

More information about the Users mailing list