[Openswan Users] IPsec.conf connection order

Tue Sep 21 15:55:14 EDT 2010

On Tuesday, September 21, 2010 12:29:59 pm Paul Wouters wrote:
> On Tue, 21 Sep 2010, Troy Telford wrote:
> > I'm having some trouble with my understanding of ipsec.conf;
> > specifically, I'm not understanding how Openswan determines which
> > connection is being made.
> > 
> > In fact, it doesn't seem to matter that there are two pure IPsec
> > connection types (one that is just the local subnet, the other is the
> > 0.0.0.0/0).  It seems that no matter what I try, the first connection
> > is the one that is used, regardless of anything that follows.
> 
> If the phase1 of two conns is equal, openswan has to pick one. It might
> realise later by the different phase parameters that it needs to use the
> other conn, and it will then do so. So the name at first can be
> misleading, but there is no way of telling at that point.
> 
> Paul

One note:  in the config I first posted, there's a line:
        also=roadwarrior-l2tp
that shouldn't be there.

The problem I'm seeing is that my 'roadwarrior-all' connection is first:

If I take a client and attempt to connect with L2TP (which should be the 
roadwarrior-l2tp connection), the farthest anything gets is phase 1.

pluto tries roadwarrior-all for phase 1:

pluto[6022]: "roadwarrior-all"[3] 72.254.127.24 #7: STATE_MAIN_R3: sent MR3, 
ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 
prf=oakley_sha group=modp1024}
pluto[6022]: "roadwarrior-all"[3] 72.254.127.24 #7: Dead Peer Detection (RFC 
3706): enabled
pluto[6022]: "roadwarrior-all"[3] 72.254.127.24 #7: ignoring informational 
payload, type IPSEC_INITIAL_CONTACT msgid=00000000
pluto[6022]: "roadwarrior-all"[3] 72.254.127.24 #7: received and ignored 
informational message
pluto[6022]: "roadwarrior-all"[3] 72.254.127.24 #7: the peer proposed: 
76.27.20.26/32:0/0 -> 172.17.10.34/32:0/0
pluto[6022]: "roadwarrior-all"[3] 72.254.127.24 #8: we require PFS but Quick 
I1 SA specifies no GROUP_DESCRIPTION
pluto[6022]: "roadwarrior-all"[3] 72.254.127.24 #8: discarding duplicate 
packet; already STATE_QUICK_R0

Shortly after that, the VPN client disconnects.  There is no 'realization' 
that there are different phase parameters in 'roadwarrior-l2tp' (ie. tunnel vs 
transport mode, pfs=on vs off, righsubnet, left/right protoport, etc.)

If I have the L2TP conn first, then l2tp connects - but when I connect with a 
pure IPsec client, phase 2 connects via the l2tp conn, using transport mode 
instead of tunnel mode, etc.  Again, Pluto doesn't seem to know that 

I've seen more than a few ipsec.conf files that have something similar to 
'roadwarror-all', and then a conn like 'roadwarrior-l2tp' - and they report 
both work.  

I'm wondering what I'm doing wrong, or if you really can't have both IPsec and 
L2TP road warriors connecting via x.509 certificates...