[Openswan Users] IPsec.conf connection order

Troy Telford ttelford.groups at gmail.com
Tue Sep 21 15:55:14 EDT 2010


On Tuesday, September 21, 2010 12:29:59 pm Paul Wouters wrote:
> On Tue, 21 Sep 2010, Troy Telford wrote:
> > I'm having some trouble with my understanding of ipsec.conf;
> > specifically, I'm not understanding how Openswan determines which
> > connection is being made.
> > 
> > In fact, it doesn't seem to matter that there are two pure IPsec
> > connection types (one that is just the local subnet, the other is the
> > 0.0.0.0/0).  It seems that no matter what I try, the first connection
> > is the one that is used, regardless of anything that follows.
> 
> If the phase1 of two conns is equal, openswan has to pick one. It might
> realise later by the different phase parameters that it needs to use the
> other conn, and it will then do so. So the name at first can be
> misleading, but there is no way of telling at that point.
> 
> Paul

One note:  in the config I first posted, there's a line:
        also=roadwarrior-l2tp
that shouldn't be there.

The problem I'm seeing is that my 'roadwarrior-all' connection is first:

If I take a client and attempt to connect with L2TP (which should be the 
roadwarrior-l2tp connection), the farthest anything gets is phase 1.

pluto tries roadwarrior-all for phase 1:

pluto[6022]: "roadwarrior-all"[3] 72.254.127.24 #7: STATE_MAIN_R3: sent MR3, 
ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 
prf=oakley_sha group=modp1024}
pluto[6022]: "roadwarrior-all"[3] 72.254.127.24 #7: Dead Peer Detection (RFC 
3706): enabled
pluto[6022]: "roadwarrior-all"[3] 72.254.127.24 #7: ignoring informational 
payload, type IPSEC_INITIAL_CONTACT msgid=00000000
pluto[6022]: "roadwarrior-all"[3] 72.254.127.24 #7: received and ignored 
informational message
pluto[6022]: "roadwarrior-all"[3] 72.254.127.24 #7: the peer proposed: 
76.27.20.26/32:0/0 -> 172.17.10.34/32:0/0
pluto[6022]: "roadwarrior-all"[3] 72.254.127.24 #8: we require PFS but Quick 
I1 SA specifies no GROUP_DESCRIPTION
pluto[6022]: "roadwarrior-all"[3] 72.254.127.24 #8: discarding duplicate 
packet; already STATE_QUICK_R0

Shortly after that, the VPN client disconnects.  There is no 'realization' 
that there are different phase parameters in 'roadwarrior-l2tp' (ie. tunnel vs 
transport mode, pfs=on vs off, righsubnet, left/right protoport, etc.)

If I have the L2TP conn first, then l2tp connects - but when I connect with a 
pure IPsec client, phase 2 connects via the l2tp conn, using transport mode 
instead of tunnel mode, etc.  Again, Pluto doesn't seem to know that 

I've seen more than a few ipsec.conf files that have something similar to 
'roadwarror-all', and then a conn like 'roadwarrior-l2tp' - and they report 
both work.  

I'm wondering what I'm doing wrong, or if you really can't have both IPsec and 
L2TP road warriors connecting via x.509 certificates...


More information about the Users mailing list