Hi, I have a central Linux VPN gateway with Debian 5 and Strongswan 4.2.4-5+lenny3 default package(using a fixed IP). I'm trying to connect remote dynamic site-to-site tunnels, using Sonicwall devices behind and adsl router. My problem is that I can only establish one tunnel, after that, the second, third and so on fail to work. This is what I have:
LAN: 192.168.110.1 <--This tunnel always work [Sonicwall TZ 100] dyndnsclient, reporting the WAN IP of the adsl router -- host1.dyndns.org WAN:192.168.1.1 | LAN:192.168.1.254 [ADSL Router] WAN: Z.Z.Z.Z | | [Strongswan Fixed IP] WAN: 189.X.X.66 LAN: 192.168.100.3 | | WAN: Y.Y.Y.Y [ADSL Router] LAN:192.168.1.254 | WAN:192.168.1.1 [Sonicwall TZ 100] dyndnsclient, reporting the WAN IP of the adsl router -- host2.dyndns.org LAN: 192.168.101.1 (here I represent 2, but will have about 20 remote dynamic sites) This is my ipsec.conf: ------------------- config setup plutodebug=all klipsdebug=all charondebug=all nat_traversal=yes charonstart=yes plutostart=yes conn %default type=tunnel leftsubnet=192.168.100.0/24 left=189.X.X.66 leftnexthop=189.X.X.65 leftid=189.X.X.66 keyexchange=ikev1 authby=secret leftsourceip=192.168.100.3 conn to-one auth=esp ike=3des-sha1-modp1024,3des-md5-modp1024 keyexchange=ikev1 ikelifetime=28800s esp=null-sha1 pfs=no keyingtries=1 authby=secret right=host1.dyndns.org rightsubnet=192.168.110.0/24 [email protected] auto=add conn to-two auth=esp ike=3des-sha1-modp1024,3des-md5-modp1024 keyexchange=ikev1 ikelifetime=28800s esp=null-sha1 pfs=no authby=secret right=host2.dyndns.org rightsubnet=192.168.101.0/24 [email protected] auto=add -------------------- (i know I shouldn't use null-sha1, i just left it like that in my last attempt, the same error happens with other algorithms) And my ipsec.secrets: -------- @host1.dyndns.org 189.X.X.66 : PSK "mypsk" @host2.dyndns.org 189.X.X.66 : PSK "mypsk" -------- Always the tunnel "to-one" works well, it get's established with no problem, but for the other tunnels I get something like: ------------- Dec 22 01:40:41 vpngdl pluto[3339]: packet from 187.X.X.32:61362: ignoring Vendor ID payload [5b362bc820f60007] <--This ip is from tunnel "to-two" Dec 22 01:40:41 vpngdl pluto[3339]: packet from 187.X.X.32:61362: received Vendor ID payload [RFC 3947] Dec 22 01:40:41 vpngdl pluto[3339]: packet from 187.X.X.32:61362: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] Dec 22 01:40:41 vpngdl pluto[3339]: packet from 187.X.X.32:61362: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00] Dec 22 01:40:41 vpngdl pluto[3339]: | ****parse IPsec DOI SIT: Dec 22 01:40:41 vpngdl pluto[3339]: | IPsec DOI SIT: SIT_IDENTITY_ONLY Dec 22 01:40:41 vpngdl pluto[3339]: | ****parse ISAKMP Proposal Payload: Dec 22 01:40:41 vpngdl pluto[3339]: | next payload type: ISAKMP_NEXT_NONE Dec 22 01:40:41 vpngdl pluto[3339]: | length: 40 Dec 22 01:40:41 vpngdl pluto[3339]: | proposal number: 1 Dec 22 01:40:41 vpngdl pluto[3339]: | protocol ID: PROTO_ISAKMP Dec 22 01:40:41 vpngdl pluto[3339]: | SPI size: 0 Dec 22 01:40:41 vpngdl pluto[3339]: | number of transforms: 1 [snip] Dec 22 01:40:41 vpngdl pluto[3339]: packet from 187.X.X.32:61362: initial Main Mode message received on 189.X.X.66:500 but no connection has been authorized with policy=PSK --------- Sounds like it isn't detecting my configuration, but when I restart ipsec both tunnels seems to load correctly: ----------- Dec 22 01:39:27 vpngdl pluto[3339]: added connection description "to-one" Dec 22 01:39:27 vpngdl pluto[3339]: | 192.168.100.0/[email protected]]===192.168.110.0/24 Dec 22 01:39:27 vpngdl pluto[3339]: | ike_life: 28800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1; policy: PSK+ENCRYPT+TUNNEL Dec 22 01:39:27 vpngdl pluto[3339]: | next event EVENT_REINIT_SECRET in 3599 seconds [snip] Dec 22 01:39:27 vpngdl pluto[3339]: added connection description "to-two" Dec 22 01:39:27 vpngdl pluto[3339]: | 192.168.100.0/[email protected]]===192.168.101.0/24 Dec 22 01:39:27 vpngdl pluto[3339]: | ike_life: 28800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3; policy: PSK+ENCRYPT+TUNNEL Dec 22 01:39:27 vpngdl pluto[3339]: | next event EVENT_REINIT_SECRET in 3599 seconds ------------ And no matter what order I use in ipsec.conf and ipsec.secrets, tunnel one always works and the others don't, even restarting the strongswan server. The VPN options in the sonicwall side is configured identical (changing hosts and left/right, of course) in all remote/dynamic points. I've tried with 3 remote sites with similar setup, but always tunnel one is established and the rest don't. Can the problem be that all the adsl routers use the same lan class to connect to the firewall? (192.168.1.x) Any idea about what can be happening or how to solve it? Regards Omar
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
