[Openswan Users] Openswan 2.6.24 => Juniper SRX

Scott T. Cameron routehero at gmail.com
Fri Jan 28 14:01:56 EST 2011 

For some reason, this IPSEC setup is giving me grief.

The linux box has an external IP on one interface, private IP on another
interface.  Remote SRX has a similar setup.

Tunnel #1 will establish.  Shortly after, hosts on the Linux-side will cause
Linux openswan to do "initiate on demand" for additional tunnels.

Jan 28 19:53:24  pluto[16783]: "idc" #1: Main mode peer ID is ID_IPV4_ADDR:
'74.115.217.200'
Jan 28 19:53:24  pluto[16783]: "idc" #1: transition from state STATE_MAIN_I3
to state STATE_MAIN_I4
Jan 28 19:53:24  pluto[16783]: "idc" #1: STATE_MAIN_I4: ISAKMP SA
established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_sha
group=modp1024}
Jan 28 19:53:24  pluto[16783]: "idc" #2: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1 msgid:10363b3c
proposal=AES(12)_128-SHA1(2)_160 pfsgroup=OAKLEY_GROUP_MODP1024}
Jan 28 19:53:24  pluto[16783]: initiate on demand from 192.168.90.63:35718to
172.30.77.45:514 proto=6 state: fos_start because: acquire
Jan 28 19:53:24  pluto[16783]: "idc" #3: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1 msgid:35785a77
proposal=AES(12)_128-SHA1(2)_160 pfsgroup=OAKLEY_GROUP_MODP1024}
Jan 28 19:53:25  pluto[16783]: initiate on demand from 192.168.90.62:39367to
172.30.77.45:514 proto=6 state: fos_start because: acquire
Jan 28 19:53:25  pluto[16783]: "idc" #4: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1 msgid:5ecd6abe
proposal=AES(12)_128-SHA1(2)_160 pfsgroup=OAKLEY_GROUP_MODP1024}
Jan 28 19:53:25  pluto[16783]: initiate on demand from 192.168.90.53:57649to
172.30.77.45:514 proto=6 state: fos_start because: acquire
Jan 28 19:53:25  pluto[16783]: "idc" #5: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1 msgid:16951daf
proposal=AES(12)_128-SHA1(2)_160 pfsgroup=OAKLEY_GROUP_MODP1024}
Jan 28 19:53:25  pluto[16783]: initiate on demand from 192.168.90.56:54443to
172.30.77.45:514 proto=6 state: fos_start because: acquire
Jan 28 19:53:25  pluto[16783]: "idc" #6: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1 msgid:76919e72
proposal=AES(12)_128-SHA1(2)_160 pfsgroup=OAKLEY_GROUP_MODP1024}
Jan 28 19:53:26  pluto[16783]: initiate on demand from 192.168.90.51:40954to
172.30.77.45:514 proto=6 state: fos_start because: acquire
Jan 28 19:53:26  pluto[16783]: "idc" #7: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1 msgid:e2df2600
proposal=AES(12)_128-SHA1(2)_160 pfsgroup=OAKLEY_GROUP_MODP1024}

The config is fairly basic.  The initiate on demands won't stop -- it goes
in to the thousands of range.

conn dc
        auto=start
        pfs=yes
        authby=secret
        ikev2=no
        ike=aes128-sha1
        phase2alg=aes128-sha1
        salifetime=8h
        ikelifetime=1h
        type=tunnel
        rekey=yes

        left=89.202.x.x
        leftsourceip=192.168.90.200
        leftsubnet=192.168.90.0/24
        right=74.115.x.x
        rightsubnet=172.30.0.0/16

Any clues why it's not using the already established tunnel?

Thanks.

Scott
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20110128/bd9024ba/attachment.html

More information about the Users mailing list