[Openswan Users] Multiple connections between 2 IPsec speakers

Paul Wouters paul at xelerance.com
Thu Sep 8 14:26:46 EDT 2011 

On Thu, 8 Sep 2011, Dmitriy Samovskiy wrote:

> We are running Ubuntu Lucid, Openswan 2.6.23 connecting to [...]

> With us on the left, at times we need to have more than one subnet on
> the right behind a single remote endpoint. I have been doing it with
> multiple "conn XXX" sections - they are nearly identical except for
> name of the connection and rightsubnet.
>
> We sometimes must delete individual connections dynamically - we do it
> with "ipsec auto --delete" because we can't touch other connections
> (we also add dynamically when necessary).
>
> Here is a problem that I observed today. Say I have "conn a" between
> my Openswan and remote Ipsec device. IKE SA gets established, then
> IPSEC SA. IKE SA is attached to "conn a". Then I add "conn b" and
> "conn c" between the same endpoints. Over the course of time, it looks
> like IKE SA (that is shared between all of them since it's one per
> remote endpoint) got re-negotiated/re-established on "conn b". Then we
> have to delete (b) - and we do. But then Openswan logs the following
> and gets stuck until I restart it:
>
> : DPD Error: could not find newest phase 1 state

v2.6.32 (December 17, 2010)
* DPD: flush_pending_by_connection() when doing a %clear on DPD timeout [dhr]

v2.6.25 (Mar 21, 2010)
* In rare circumstances, DPD could kill an active tunnel [Shinichi Furuso]

v2.6.24 (Jan 8, 2010)
* Fix for DPD with NETKEY [Frank Eberle]

Can you try and upgrade?

> 1. Can I control which "conn" IKE SA will be attached to? If yes, it
> solves my problem as I know "conn a" will always be the last to be
> deleted.

No, ISAKMP SAs are automatically shared.

> 2. Can I manually move IKE SA between Openswan connections? If yes, how.

No. This is all managed by pluto.

> 3. Is this a known bug or feature? If yes, do you know in which
> version of Openswan it was fixed?

See above.

> 4. Is there a better (more proper) way to do multi-subnet connections
> such that subnets on remote end can be deleted or added without
> affecting the rest of connections?

Nope.

Your version is pretty dated, so I'm fairly confident this issue is
already addressed. If not, please get back to us with a plutodebug=all
trace (preferably attached to a bug report, and then reported on the
mailing list)

Paul

More information about the Users mailing list