[Openswan Users] Multiple connections between 2 IPsec speakers

[Dmitriy Samovskiy]

Hello,

We are running Ubuntu Lucid, Openswan 2.6.23 connecting to
non-Openswan IPsec devices.

With us on the left, at times we need to have more than one subnet on
the right behind a single remote endpoint. I have been doing it with
multiple "conn XXX" sections - they are nearly identical except for
name of the connection and rightsubnet.

We sometimes must delete individual connections dynamically - we do it
with "ipsec auto --delete" because we can't touch other connections
(we also add dynamically when necessary).

Here is a problem that I observed today. Say I have "conn a" between
my Openswan and remote Ipsec device. IKE SA gets established, then
IPSEC SA. IKE SA is attached to "conn a". Then I add "conn b" and
"conn c" between the same endpoints. Over the course of time, it looks
like IKE SA (that is shared between all of them since it's one per
remote endpoint) got re-negotiated/re-established on "conn b". Then we
have to delete (b) - and we do. But then Openswan logs the following
and gets stuck until I restart it:

: DPD Error: could not find newest phase 1 state

(Openswan was in this bad state for more than 1 hour before I
restarted, this was the last line in log - no logging for 1+ hours
after this line)

Generally, I was wondering what can be done about this.

More specifically, here are some questions:

1. Can I control which "conn" IKE SA will be attached to? If yes, it
solves my problem as I know "conn a" will always be the last to be
deleted.

2. Can I manually move IKE SA between Openswan connections? If yes, how.

3. Is this a known bug or feature? If yes, do you know in which
version of Openswan it was fixed?

4. Is there a better (more proper) way to do multi-subnet connections
such that subnets on remote end can be deleted or added without
affecting the rest of connections?

Thanks in advance for your help.

Cheers,
Dmitriy