Hello all, As you may have known around the VyOS/EdgeOS community, I am the poor guy who decided to upgrade the strongSwan stack from 4.5.2 to 5.2.2. Yes, it was an eye-opener on how the scripts were written back in the day and I'm surprised it still even works today.
During testing, I've noticed that establishing multiple IKEv1 tunnels between strongSwan 5.2.2 doesn't work as expected with configurations being both generated by VyOS/EdgeOS/Vyatta's vpn-config.pl. One of the tunnels specified in ipsec.conf does work, but the other one does not. I am pasting charon's logger from ike/cfg at level 2: -- BEGIN LOG-- Feb 12 08:41:14 vyos-2 ipsec_starter[2970]: Starting strongSwan 5.2.2 IPsec [starter]... Feb 12 08:41:14 vyos-2 ipsec_starter[2970]: # deprecated keyword 'interfaces' in config setup Feb 12 08:41:14 vyos-2 ipsec_starter[2970]: ### 1 parsing error (0 fatal) ### Feb 12 08:41:14 vyos-2 ipsec_starter[2986]: charon (2987) started after 20 ms Feb 12 08:41:14 vyos-2 charon: 12[IKE] initiating Main Mode IKE_SA peer-192.168.2.1-tunnel-0[1] to 192.168.2.1 Feb 12 08:41:39 vyos-2 charon: 04[IKE] sending retransmit 3 of request message ID 0, seq 1 Feb 12 08:41:45 vyos-2 charon: 16[CFG] looking for an ike config for 192.168.2.2...192.168.2.1 Feb 12 08:41:45 vyos-2 charon: 16[CFG] candidate: 192.168.2.2...192.168.2.1, prio 3100 Feb 12 08:41:45 vyos-2 charon: 16[CFG] found matching ike config: 192.168.2.2...192.168.2.1 with prio 3100 Feb 12 08:41:45 vyos-2 charon: 16[IKE] received XAuth vendor ID Feb 12 08:41:45 vyos-2 charon: 16[IKE] received DPD vendor ID Feb 12 08:41:45 vyos-2 charon: 16[IKE] received NAT-T (RFC 3947) vendor ID Feb 12 08:41:45 vyos-2 charon: 16[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID Feb 12 08:41:45 vyos-2 charon: 16[IKE] 192.168.2.1 is initiating a Main Mode IKE_SA Feb 12 08:41:45 vyos-2 charon: 16[IKE] IKE_SA (unnamed)[2] state change: CREATED => CONNECTING Feb 12 08:41:45 vyos-2 charon: 16[CFG] selecting proposal: Feb 12 08:41:45 vyos-2 charon: 16[CFG] proposal matches Feb 12 08:41:45 vyos-2 charon: 16[CFG] received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 Feb 12 08:41:45 vyos-2 charon: 16[CFG] configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 Feb 12 08:41:45 vyos-2 charon: 16[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 Feb 12 08:41:45 vyos-2 charon: 16[IKE] sending XAuth vendor ID Feb 12 08:41:45 vyos-2 charon: 16[IKE] sending DPD vendor ID Feb 12 08:41:45 vyos-2 charon: 16[IKE] sending NAT-T (RFC 3947) vendor ID Feb 12 08:41:45 vyos-2 charon: 06[CFG] looking for pre-shared key peer configs matching 192.168.2.2...192.168.2.1[192.168.2.1] Feb 12 08:41:45 vyos-2 charon: 06[CFG] candidate "peer-192.168.2.1-tunnel-0", match: 1/20/3100 (me/other/ike) Feb 12 08:41:45 vyos-2 charon: 06[CFG] selected peer config "peer-192.168.2.1-tunnel-0" Feb 12 08:41:45 vyos-2 charon: 06[IKE] IKE_SA peer-192.168.2.1-tunnel-0[2] established between 192.168.2.2[192.168.2.2]...192.168.2.1[192.168.2.1] Feb 12 08:41:45 vyos-2 charon: 06[IKE] IKE_SA peer-192.168.2.1-tunnel-0[2] state change: CONNECTING => ESTABLISHED Feb 12 08:41:45 vyos-2 charon: 06[IKE] scheduling reauthentication in 27939s Feb 12 08:41:45 vyos-2 charon: 06[IKE] maximum IKE_SA lifetime 28479s Feb 12 08:41:45 vyos-2 charon: 03[CFG] looking for a child config for 192.168.4.0/24 === 192.168.3.0/24 Feb 12 08:41:45 vyos-2 charon: 03[CFG] proposing traffic selectors for us: Feb 12 08:41:45 vyos-2 charon: 03[CFG] 192.168.4.0/24 Feb 12 08:41:45 vyos-2 charon: 03[CFG] proposing traffic selectors for other: Feb 12 08:41:45 vyos-2 charon: 03[CFG] 192.168.3.0/24 Feb 12 08:41:45 vyos-2 charon: 03[CFG] candidate "peer-192.168.2.1-tunnel-0" with prio 5+5 Feb 12 08:41:45 vyos-2 charon: 03[CFG] proposing traffic selectors for us: Feb 12 08:41:45 vyos-2 charon: 03[CFG] 10.0.11.0/24 Feb 12 08:41:45 vyos-2 charon: 03[CFG] proposing traffic selectors for other: Feb 12 08:41:45 vyos-2 charon: 03[CFG] 10.0.10.0/24 Feb 12 08:41:45 vyos-2 charon: 03[CFG] found matching child config "peer-192.168.2.1-tunnel-0" with prio 10 Feb 12 08:41:45 vyos-2 charon: 03[CFG] selecting traffic selectors for other: Feb 12 08:41:45 vyos-2 charon: 03[CFG] config: 192.168.3.0/24, received: 192.168.3.0/24 => match: 192.168.3.0/24 Feb 12 08:41:45 vyos-2 charon: 03[CFG] selecting traffic selectors for us: Feb 12 08:41:45 vyos-2 charon: 03[CFG] config: 192.168.4.0/24, received: 192.168.4.0/24 => match: 192.168.4.0/24 Feb 12 08:41:45 vyos-2 charon: 03[CFG] selecting proposal: Feb 12 08:41:45 vyos-2 charon: 03[CFG] proposal matches Feb 12 08:41:45 vyos-2 charon: 03[CFG] received proposals: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ Feb 12 08:41:45 vyos-2 charon: 03[CFG] configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ Feb 12 08:41:45 vyos-2 charon: 03[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ Feb 12 08:41:45 vyos-2 charon: 04[IKE] CHILD_SA peer-192.168.2.1-tunnel-0{1} established with SPIs c527ed28_i c63527a1_o and TS 192.168.4.0/24 === 192.168.3.0/24 Feb 12 08:41:45 vyos-2 charon: 04[CFG] looking for a child config for 10.0.11.0/24 === 10.0.10.0/24 Feb 12 08:41:45 vyos-2 charon: 04[CFG] proposing traffic selectors for us: Feb 12 08:41:45 vyos-2 charon: 04[CFG] 192.168.4.0/24 Feb 12 08:41:45 vyos-2 charon: 04[CFG] proposing traffic selectors for other: Feb 12 08:41:45 vyos-2 charon: 04[CFG] 192.168.3.0/24 Feb 12 08:41:45 vyos-2 charon: 04[CFG] proposing traffic selectors for us: Feb 12 08:41:45 vyos-2 charon: 04[CFG] 10.0.11.0/24 Feb 12 08:41:45 vyos-2 charon: 04[CFG] proposing traffic selectors for other: Feb 12 08:41:45 vyos-2 charon: 04[CFG] 10.0.10.0/24 Feb 12 08:41:45 vyos-2 charon: 04[CFG] candidate "peer-192.168.2.1-tunnel-1" with prio 5+5 Feb 12 08:41:45 vyos-2 charon: 04[CFG] found matching child config "peer-192.168.2.1-tunnel-1" with prio 10 Feb 12 08:41:45 vyos-2 charon: 04[CFG] selecting traffic selectors for other: Feb 12 08:41:45 vyos-2 charon: 04[CFG] config: 10.0.10.0/24, received: 10.0.10.0/24 => match: 10.0.10.0/24 Feb 12 08:41:45 vyos-2 charon: 04[CFG] selecting traffic selectors for us: Feb 12 08:41:45 vyos-2 charon: 04[CFG] config: 10.0.11.0/24, received: 10.0.11.0/24 => match: 10.0.11.0/24 Feb 12 08:41:45 vyos-2 charon: 04[CFG] selecting proposal: Feb 12 08:41:45 vyos-2 charon: 04[CFG] proposal matches Feb 12 08:41:45 vyos-2 charon: 04[CFG] received proposals: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ Feb 12 08:41:45 vyos-2 charon: 04[CFG] configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ Feb 12 08:41:45 vyos-2 charon: 04[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ Feb 12 08:41:45 vyos-2 charon: 12[IKE] CHILD_SA peer-192.168.2.1-tunnel-1{2} established with SPIs c3108539_i cadb681d_o and TS 10.0.11.0/24 === 10.0.10.0/24 Feb 12 08:42:02 vyos-2 charon: 03[IKE] sending retransmit 4 of request message ID 0, seq 1 Feb 12 08:42:02 vyos-2 charon: 02[IKE] received XAuth vendor ID Feb 12 08:42:02 vyos-2 charon: 02[IKE] received DPD vendor ID Feb 12 08:42:02 vyos-2 charon: 02[IKE] received NAT-T (RFC 3947) vendor ID Feb 12 08:42:02 vyos-2 charon: 02[CFG] selecting proposal: Feb 12 08:42:02 vyos-2 charon: 02[CFG] proposal matches Feb 12 08:42:02 vyos-2 charon: 02[CFG] received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 Feb 12 08:42:02 vyos-2 charon: 02[CFG] configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 Feb 12 08:42:02 vyos-2 charon: 02[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 Feb 12 08:42:02 vyos-2 charon: 02[IKE] reinitiating already active tasks Feb 12 08:42:02 vyos-2 charon: 02[IKE] ISAKMP_VENDOR task Feb 12 08:42:02 vyos-2 charon: 02[IKE] MAIN_MODE task Feb 12 08:42:02 vyos-2 charon: 01[IKE] reinitiating already active tasks Feb 12 08:42:02 vyos-2 charon: 01[IKE] ISAKMP_VENDOR task Feb 12 08:42:02 vyos-2 charon: 01[IKE] MAIN_MODE task Feb 12 08:42:02 vyos-2 charon: 04[IKE] IKE_SA peer-192.168.2.1-tunnel-0[1] established between 192.168.2.2[192.168.2.2]...192.168.2.1[192.168.2.1] Feb 12 08:42:02 vyos-2 charon: 04[IKE] IKE_SA peer-192.168.2.1-tunnel-0[1] state change: CONNECTING => ESTABLISHED Feb 12 08:42:02 vyos-2 charon: 04[IKE] scheduling reauthentication in 27857s Feb 12 08:42:02 vyos-2 charon: 04[IKE] maximum IKE_SA lifetime 28397s Feb 12 08:42:02 vyos-2 charon: 04[IKE] activating new tasks Feb 12 08:42:02 vyos-2 charon: 04[IKE] activating QUICK_MODE task Feb 12 08:42:02 vyos-2 charon: 04[CFG] configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ Feb 12 08:42:02 vyos-2 charon: 04[CFG] configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ Feb 12 08:42:02 vyos-2 charon: 04[CFG] proposing traffic selectors for us: Feb 12 08:42:02 vyos-2 charon: 04[CFG] 192.168.4.0/24 Feb 12 08:42:02 vyos-2 charon: 04[CFG] proposing traffic selectors for other: Feb 12 08:42:02 vyos-2 charon: 04[CFG] 192.168.3.0/24 Feb 12 08:42:02 vyos-2 charon: 12[CFG] selecting proposal: Feb 12 08:42:02 vyos-2 charon: 12[CFG] proposal matches Feb 12 08:42:02 vyos-2 charon: 12[CFG] received proposals: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ Feb 12 08:42:02 vyos-2 charon: 12[CFG] configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ Feb 12 08:42:02 vyos-2 charon: 12[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ Feb 12 08:42:02 vyos-2 charon: 12[CFG] unable to install policy 192.168.4.0/24 === 192.168.3.0/24 out (mark 0/0x00000000) for reqid 3, the same policy for reqid 1 exists Feb 12 08:42:02 vyos-2 charon: 12[CFG] unable to install policy 192.168.3.0/24 === 192.168.4.0/24 in (mark 0/0x00000000) for reqid 3, the same policy for reqid 1 exists Feb 12 08:42:02 vyos-2 charon: 12[CFG] unable to install policy 192.168.3.0/24 === 192.168.4.0/24 fwd (mark 0/0x00000000) for reqid 3, the same policy for reqid 1 exists Feb 12 08:42:02 vyos-2 charon: 12[CFG] unable to install policy 192.168.4.0/24 === 192.168.3.0/24 out (mark 0/0x00000000) for reqid 3, the same policy for reqid 1 exists Feb 12 08:42:02 vyos-2 charon: 12[CFG] unable to install policy 192.168.3.0/24 === 192.168.4.0/24 in (mark 0/0x00000000) for reqid 3, the same policy for reqid 1 exists Feb 12 08:42:02 vyos-2 charon: 12[CFG] unable to install policy 192.168.3.0/24 === 192.168.4.0/24 fwd (mark 0/0x00000000) for reqid 3, the same policy for reqid 1 exists Feb 12 08:42:02 vyos-2 charon: 12[IKE] unable to install IPsec policies (SPD) in kernel Feb 12 08:42:02 vyos-2 charon: 12[IKE] queueing INFORMATIONAL task Feb 12 08:42:02 vyos-2 charon: 12[IKE] activating new tasks Feb 12 08:42:02 vyos-2 charon: 12[IKE] activating QUICK_MODE task Feb 12 08:42:02 vyos-2 charon: 12[CFG] configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ Feb 12 08:42:02 vyos-2 charon: 12[CFG] configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ Feb 12 08:42:02 vyos-2 charon: 12[CFG] proposing traffic selectors for us: Feb 12 08:42:02 vyos-2 charon: 12[CFG] 10.0.11.0/24 Feb 12 08:42:02 vyos-2 charon: 12[CFG] proposing traffic selectors for other: Feb 12 08:42:02 vyos-2 charon: 12[CFG] 10.0.10.0/24 Feb 12 08:42:06 vyos-2 charon: 16[IKE] sending retransmit 1 of request message ID 1519727818, seq 5 Feb 12 08:42:12 vyos-2 charon: 05[IKE] queueing ISAKMP_DELETE task Feb 12 08:42:12 vyos-2 charon: 05[IKE] activating new tasks Feb 12 08:42:12 vyos-2 charon: 05[IKE] activating ISAKMP_DELETE task Feb 12 08:42:12 vyos-2 charon: 05[IKE] deleting IKE_SA peer-192.168.2.1-tunnel-0[2] between 192.168.2.2[192.168.2.2]...192.168.2.1[192.168.2.1] Feb 12 08:42:12 vyos-2 charon: 05[IKE] sending DELETE for IKE_SA peer-192.168.2.1-tunnel-0[2] Feb 12 08:42:12 vyos-2 charon: 05[IKE] IKE_SA peer-192.168.2.1-tunnel-0[2] state change: ESTABLISHED => DELETING Feb 12 08:42:12 vyos-2 charon: 05[IKE] IKE_SA peer-192.168.2.1-tunnel-0[2] state change: DELETING => DESTROYING Feb 12 08:42:13 vyos-2 charon: 02[IKE] sending retransmit 2 of request message ID 1519727818, seq 5 Feb 12 08:42:26 vyos-2 charon: 04[IKE] sending retransmit 3 of request message ID 1519727818, seq 5 Feb 12 08:42:29 vyos-2 charon: 12[CFG] proposing traffic selectors for us: Feb 12 08:42:29 vyos-2 charon: 12[CFG] 192.168.4.0/24 Feb 12 08:42:29 vyos-2 charon: 12[CFG] proposing traffic selectors for other: Feb 12 08:42:29 vyos-2 charon: 12[CFG] 192.168.3.0/24 Feb 12 08:42:29 vyos-2 charon: 12[CFG] proposing traffic selectors for us: Feb 12 08:42:29 vyos-2 charon: 12[CFG] 10.0.11.0/24 Feb 12 08:42:29 vyos-2 charon: 12[CFG] proposing traffic selectors for other: Feb 12 08:42:29 vyos-2 charon: 12[CFG] 10.0.10.0/24 Feb 12 08:42:49 vyos-2 charon: 04[IKE] sending retransmit 4 of request message ID 1519727818, seq 5 Feb 12 08:43:31 vyos-2 charon: 16[IKE] sending retransmit 5 of request message ID 1519727818, seq 5 Feb 12 08:43:44 vyos-2 charon: 03[CFG] proposing traffic selectors for us: Feb 12 08:43:44 vyos-2 charon: 03[CFG] 192.168.4.0/24 Feb 12 08:43:44 vyos-2 charon: 03[CFG] proposing traffic selectors for other: Feb 12 08:43:44 vyos-2 charon: 03[CFG] 192.168.3.0/24 Feb 12 08:43:44 vyos-2 charon: 03[CFG] proposing traffic selectors for us: Feb 12 08:43:44 vyos-2 charon: 03[CFG] 10.0.11.0/24 Feb 12 08:43:44 vyos-2 charon: 03[CFG] proposing traffic selectors for other: Feb 12 08:43:44 vyos-2 charon: 03[CFG] 10.0.10.0/24 Feb 12 08:43:53 vyos-2 charon: 11[CFG] proposing traffic selectors for us: Feb 12 08:43:53 vyos-2 charon: 11[CFG] 192.168.4.0/24 Feb 12 08:43:53 vyos-2 charon: 11[CFG] proposing traffic selectors for other: Feb 12 08:43:53 vyos-2 charon: 11[CFG] 192.168.3.0/24 Feb 12 08:43:53 vyos-2 charon: 11[CFG] proposing traffic selectors for us: Feb 12 08:43:53 vyos-2 charon: 11[CFG] 10.0.11.0/24 Feb 12 08:43:53 vyos-2 charon: 11[CFG] proposing traffic selectors for other: Feb 12 08:43:53 vyos-2 charon: 11[CFG] 10.0.10.0/24 --END LOG-- The following is the output of ipsec statusall --BEGIN STATUS ALL-- Status of IKE charon daemon (strongSwan 5.2.2, Linux 3.13.11-1-amd64-vyos, x86_64): uptime: 2 minutes, since Feb 12 08:41:14 2015 malloc: sbrk 516096, mmap 0, used 444752, free 71344 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 5 loaded plugins: charon ldap sqlite pkcs11 aes des sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pem openssl agent xcbc cmac ctr ccm gcm curl attr kernel-netlink resolve socket-default farp stroke updown eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls xauth-generic xauth-eap dhcp addrblock Listening IP addresses: 192.168.2.2 192.168.4.1 10.0.11.1 Connections: peer-192.168.2.1-tunnel-0: 192.168.2.2...192.168.2.1 IKEv1 peer-192.168.2.1-tunnel-0: local: [192.168.2.2] uses pre-shared key authentication peer-192.168.2.1-tunnel-0: remote: [192.168.2.1] uses pre-shared key authentication peer-192.168.2.1-tunnel-0: child: 192.168.4.0/24 === 192.168.3.0/24 TUNNEL peer-192.168.2.1-tunnel-1: child: 10.0.11.0/24 === 10.0.10.0/24 TUNNEL Security Associations (1 up, 0 connecting): peer-192.168.2.1-tunnel-0[1]: ESTABLISHED 111 seconds ago, 192.168.2.2[192.168.2.2]...192.168.2.1[192.168.2.1] peer-192.168.2.1-tunnel-0[1]: IKEv1 SPIs: 0878a00b87dcc65c_i* 3b2c83b7e08b7fb6_r, pre-shared key reauthentication in 7 hours peer-192.168.2.1-tunnel-0[1]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 peer-192.168.2.1-tunnel-0[1]: Tasks queued: INFORMATIONAL peer-192.168.2.1-tunnel-0[1]: Tasks active: QUICK_MODE peer-192.168.2.1-tunnel-0{1}: INSTALLED, TUNNEL, ESP SPIs: c527ed28_i c63527a1_o peer-192.168.2.1-tunnel-0{1}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 84 bytes_o (1 pkt, 68s ago), rekeying in 41 minutes peer-192.168.2.1-tunnel-0{1}: 192.168.4.0/24 === 192.168.3.0/24 peer-192.168.2.1-tunnel-1{2}: INSTALLED, TUNNEL, ESP SPIs: c3108539_i cadb681d_o peer-192.168.2.1-tunnel-1{2}: AES_CBC_256/HMAC_SHA1_96, 252 bytes_i (3 pkts, 59s ago), 252 bytes_o (3 pkts, 59s ago), rekeying in 40 minutes peer-192.168.2.1-tunnel-1{2}: 10.0.11.0/24 === 10.0.10.0/24 --END STATUS ALL-- As you can see from the log and status outputs above, you can see that it's choking on sending out INFORMATIONAL packets This is the ipsec.conf file that vpn-config.pl generates: --BEGIN CONFIG-- # generated by /opt/vyatta/sbin/vpn-config.pl config setup interfaces="%none" conn clear auto=ignore conn clear-or-private auto=ignore conn private-or-clear auto=ignore conn private auto=ignore conn block auto=ignore conn packetdefault auto=ignore conn %default keyexchange=ikev1 conn peer-192.168.2.1-tunnel-0 left=192.168.2.2 right=192.168.2.1 leftsubnet=192.168.4.0/24 rightsubnet=192.168.3.0/24 ike=aes256-sha1-modp1024! keyexchange=ikev1 ikelifetime=28800s esp=aes256-sha1-modp1024! keylife=3600s rekeymargin=540s type=tunnel compress=no authby=secret auto=start keyingtries=%forever #conn peer-192.168.2.1-tunnel-0 conn peer-192.168.2.1-tunnel-1 left=192.168.2.2 right=192.168.2.1 leftsubnet=10.0.11.0/24 rightsubnet=10.0.10.0/24 ike=aes256-sha1-modp1024! keyexchange=ikev1 ikelifetime=28800s esp=aes256-sha1-modp1024! keylife=3600s rekeymargin=540s type=tunnel compress=no authby=secret auto=start keyingtries=%forever #conn peer-192.168.2.1-tunnel-1 include /etc/dmvpn.conf --END CONFIG-- For troubleshooting purposes, I have deleted the conn clear, clear-or-private, private-or-clear, private, packetdefault, block directives to ensure that left over pluto definitions were not causing issues. Once they were removed, both ends with similar configurations started to successfully establish multiple IKEv1 tunnels to the same peer. Were there changes from the days when pluto that is now considered as incompatible with strongSwan? -- Jeff _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users