Hi, both grandrapids and sanjose have the same identity 'CN=Crossbow' which causes the other connection to be deleted since the default setting is uniqueids=yes.
Workaround: - set uniqueids=no in the config setup section of ipsec.conf. This will allow multiple concurrent connections with the same ID. Proper fix: - generate individual certificates for grandrapids and sanjose with distinct identities. Best regards Andreas On 10/21/2012 01:24 AM, CJ Fearnley wrote: > OK. With everyone's help, I now have a working configuration: both > Netgears can authenticate with strongswan. But when I enable both > Netgear stanzas (grandrapids & sanjose) at the same time, strongswan > deletes the other connection. Hoo boy. What am I missing? > > ispec.conf: > config setup > charonstart=no > plutostart=yes > > virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.101.0/24 > nat_traversal=yes > > conn %default > mobike=no > keyexchange=ikev1 > left=216.130.102.66 > leftid="C=US, ST=IL, L=Glenwood, O=PRIVATE VPN Services, > CN=cw1.private.com, [email protected]" > leftsendcert=always > leftsubnet=192.168.101.0/24 > leftcert=cw1.private.com.crt > right=%any > auto=add > > conn grandrapids > rightsubnet=192.168.112.0/24 > > conn sanjose > rightsubnet=192.168.161.0/24 > > Here are the strongswan logs which shows both Netgears getting connected, > but sanjose gets booted followed by grandrapids: > Oct 20 14:29:52 cw1 ipsec_starter[10459]: Starting strongSwan 4.4.1 IPsec > [starter]... > Oct 20 14:29:52 cw1 pluto[10473]: Starting IKEv1 pluto daemon (strongSwan > 4.4.1) THREADS SMARTCARD VENDORID > Oct 20 14:29:52 cw1 pluto[10473]: plugin 'test-vectors' failed to load: > /usr/lib/ipsec/plugins/libstrongswan-test-vectors.so: cannot open shared > object file: No such file or directory > Oct 20 14:29:52 cw1 pluto[10473]: attr-sql plugin: database URI not set > Oct 20 14:29:52 cw1 pluto[10473]: plugin 'attr-sql': failed to load - > attr_sql_plugin_create returned NULL > Oct 20 14:29:52 cw1 pluto[10473]: loaded plugins: curl ldap aes des sha1 sha2 > md5 random x509 pubkey pkcs1 pgp dnskey pem openssl hmac gmp xauth attr > resolve > Oct 20 14:29:52 cw1 pluto[10473]: including NAT-Traversal patch (Version > 0.6c) > Oct 20 14:29:52 cw1 pluto[10473]: failed to load pkcs11 module > '/usr/lib/opensc-pkcs11.so' > Oct 20 14:29:52 cw1 pluto[10473]: Using Linux 2.6 IPsec interface code > Oct 20 14:29:52 cw1 ipsec_starter[10472]: pluto (10473) started after 20 ms > Oct 20 14:29:52 cw1 pluto[10473]: loading ca certificates from > '/etc/ipsec.d/cacerts' > Oct 20 14:29:52 cw1 pluto[10473]: loaded ca certificate from > '/etc/ipsec.d/cacerts/ca.crt' > Oct 20 14:29:52 cw1 pluto[10473]: loading aa certificates from > '/etc/ipsec.d/aacerts' > Oct 20 14:29:52 cw1 pluto[10473]: loading ocsp certificates from > '/etc/ipsec.d/ocspcerts' > Oct 20 14:29:52 cw1 pluto[10473]: Changing to directory '/etc/ipsec.d/crls' > Oct 20 14:29:52 cw1 pluto[10473]: loading attribute certificates from > '/etc/ipsec.d/acerts' > Oct 20 14:29:52 cw1 pluto[10473]: listening for IKE messages > Oct 20 14:29:52 cw1 pluto[10473]: adding interface br0/br0 192.168.101.254:500 > Oct 20 14:29:52 cw1 pluto[10473]: adding interface br0/br0 > 192.168.101.254:4500 > Oct 20 14:29:52 cw1 pluto[10473]: adding interface eth1/eth1 50.79.22.185:500 > Oct 20 14:29:52 cw1 pluto[10473]: adding interface eth1/eth1 50.79.22.185:4500 > Oct 20 14:29:52 cw1 pluto[10473]: adding interface eth0:70/eth0:70 > 216.130.102.70:500 > Oct 20 14:29:52 cw1 pluto[10473]: adding interface eth0:70/eth0:70 > 216.130.102.70:4500 > Oct 20 14:29:52 cw1 pluto[10473]: adding interface eth0:69/eth0:69 > 216.130.102.69:500 > Oct 20 14:29:52 cw1 pluto[10473]: adding interface eth0:69/eth0:69 > 216.130.102.69:4500 > Oct 20 14:29:52 cw1 pluto[10473]: adding interface eth0:68/eth0:68 > 216.130.102.68:500 > Oct 20 14:29:52 cw1 pluto[10473]: adding interface eth0:68/eth0:68 > 216.130.102.68:4500 > Oct 20 14:29:52 cw1 pluto[10473]: adding interface eth0:67/eth0:67 > 216.130.102.67:500 > Oct 20 14:29:52 cw1 pluto[10473]: adding interface eth0:67/eth0:67 > 216.130.102.67:4500 > Oct 20 14:29:52 cw1 pluto[10473]: adding interface eth0/eth0 > 216.130.102.66:500 > Oct 20 14:29:52 cw1 pluto[10473]: adding interface eth0/eth0 > 216.130.102.66:4500 > Oct 20 14:29:52 cw1 pluto[10473]: adding interface lo/lo 127.0.0.1:500 > Oct 20 14:29:52 cw1 pluto[10473]: adding interface lo/lo 127.0.0.1:4500 > Oct 20 14:29:52 cw1 pluto[10473]: adding interface lo/lo ::1:500 > Oct 20 14:29:52 cw1 pluto[10473]: loading secrets from "/etc/ipsec.secrets" > Oct 20 14:29:52 cw1 pluto[10473]: loaded private key from > '/etc/ipsec.d/private/cw1.private.com.key' > Oct 20 14:29:52 cw1 pluto[10473]: loaded host certificate from > '/etc/ipsec.d/certs/cw1.private.com.crt' > Oct 20 14:29:52 cw1 pluto[10473]: added connection description "grandrapids" > Oct 20 14:29:52 cw1 pluto[10473]: loaded host certificate from > '/etc/ipsec.d/certs/cw1.private.com.crt' > Oct 20 14:29:52 cw1 pluto[10473]: added connection description "sanjose" > Oct 20 14:30:01 cw1 pluto[10473]: packet from 66.127.20.234:500: ignoring > Vendor ID payload [810fa565f8ab14369105d706fbd57279] > Oct 20 14:30:01 cw1 pluto[10473]: packet from 66.127.20.234:500: received > Vendor ID payload [Dead Peer Detection] > Oct 20 14:30:01 cw1 pluto[10473]: "sanjose"[1] 66.127.20.234 #1: responding > to Main Mode from unknown peer 66.127.20.234 > Oct 20 14:30:01 cw1 pluto[10473]: "sanjose"[1] 66.127.20.234 #1: ignoring > Vendor ID payload [KAME/racoon] > Oct 20 14:30:02 cw1 pluto[10473]: "sanjose"[1] 66.127.20.234 #1: Peer ID is > ID_DER_ASN1_DN: 'CN=Crossbow' > Oct 20 14:30:02 cw1 pluto[10473]: "sanjose"[1] 66.127.20.234 #1: crl not found > Oct 20 14:30:02 cw1 pluto[10473]: "sanjose"[1] 66.127.20.234 #1: certificate > status unknown > Oct 20 14:30:02 cw1 pluto[10473]: "sanjose"[2] 66.127.20.234 #1: deleting > connection "sanjose" instance with peer 66.127.20.234 {isakmp=#0/ipsec=#0} > Oct 20 14:30:02 cw1 pluto[10473]: "sanjose"[2] 66.127.20.234 #1: we have a > cert and are sending it > Oct 20 14:30:02 cw1 pluto[10473]: "sanjose"[2] 66.127.20.234 #1: sent MR3, > ISAKMP SA established > Oct 20 14:30:12 cw1 pluto[10473]: "sanjose"[2] 66.127.20.234 #1: > retransmitting in response to duplicate packet; already STATE_MAIN_R3 > Oct 20 14:30:13 cw1 pluto[10473]: "sanjose"[2] 66.127.20.234 #1: ignoring > informational payload, type IPSEC_INITIAL_CONTACT > Oct 20 14:30:38 cw1 pluto[10473]: "sanjose"[2] 66.127.20.234 #2: responding > to Quick Mode > Oct 20 14:30:39 cw1 pluto[10473]: "sanjose"[2] 66.127.20.234 #2: IPsec SA > established {ESP=>0x089ed792 <0x2b85e728} > Oct 20 14:30:50 cw1 pluto[10473]: packet from 207.8.183.102:46769: not enough > room in input packet for ISAKMP Message > Oct 20 14:30:50 cw1 pluto[10473]: packet from 207.8.183.102:46769: sending > notification PAYLOAD_MALFORMED to 207.8.183.102:46769 > Oct 20 14:36:45 cw1 pluto[10473]: packet from 50.192.114.17:500: ignoring > Vendor ID payload [810fa565f8ab14369105d706fbd57279] > Oct 20 14:36:45 cw1 pluto[10473]: packet from 50.192.114.17:500: received > Vendor ID payload [Dead Peer Detection] > Oct 20 14:36:45 cw1 pluto[10473]: "sanjose"[3] 50.192.114.17 #3: responding > to Main Mode from unknown peer 50.192.114.17 > Oct 20 14:36:46 cw1 pluto[10473]: "sanjose"[3] 50.192.114.17 #3: ignoring > Vendor ID payload [KAME/racoon] > Oct 20 14:36:46 cw1 pluto[10473]: "sanjose"[3] 50.192.114.17 #3: Peer ID is > ID_DER_ASN1_DN: 'CN=Crossbow' > Oct 20 14:36:46 cw1 pluto[10473]: "sanjose"[3] 50.192.114.17 #3: crl not found > Oct 20 14:36:46 cw1 pluto[10473]: "sanjose"[3] 50.192.114.17 #3: certificate > status unknown > Oct 20 14:36:46 cw1 pluto[10473]: "sanjose"[4] 50.192.114.17 #3: deleting > connection "sanjose" instance with peer 50.192.114.17 {isakmp=#0/ipsec=#0} > Oct 20 14:36:46 cw1 pluto[10473]: "sanjose"[4] 50.192.114.17 #3: we have a > cert and are sending it > Oct 20 14:36:46 cw1 pluto[10473]: "sanjose"[4] 50.192.114.17 #3: deleting > connection "sanjose" instance with peer 66.127.20.234 {isakmp=#1/ipsec=#2} > Oct 20 14:36:46 cw1 pluto[10473]: "sanjose" #2: deleting state > (STATE_QUICK_R2) > Oct 20 14:36:46 cw1 pluto[10473]: "sanjose" #1: deleting state (STATE_MAIN_R3) > Oct 20 14:36:46 cw1 pluto[10473]: "sanjose"[4] 50.192.114.17 #3: sent MR3, > ISAKMP SA established > Oct 20 14:36:46 cw1 pluto[10473]: "sanjose"[4] 50.192.114.17 #3: ignoring > informational payload, type IPSEC_INITIAL_CONTACT > Oct 20 14:36:48 cw1 pluto[10473]: "grandrapids"[1] 50.192.114.17 #4: > responding to Quick Mode > Oct 20 14:36:48 cw1 pluto[10473]: "grandrapids"[1] 50.192.114.17 #4: IPsec SA > established {ESP=>0x0789dbb6 <0xa5ea6345} > Oct 20 14:36:53 cw1 pluto[10473]: "grandrapids"[1] 50.192.114.17 #5: > responding to Quick Mode > Oct 20 14:36:53 cw1 pluto[10473]: "grandrapids"[1] 50.192.114.17 #5: IPsec SA > established {ESP=>0x0113ff57 <0x34a08913} > Oct 20 14:36:56 cw1 pluto[10473]: "sanjose"[4] 50.192.114.17 #3: received > Delete SA(0x0789dbb6) payload: deleting IPSEC State #4 > Oct 20 14:36:56 cw1 pluto[10473]: "sanjose"[4] 50.192.114.17 #3: ignoring > Delete SA payload: PROTO_IPSEC_ESP SA(0xa5ea6345) not found (maybe expired) > Oct 20 14:36:57 cw1 pluto[10473]: packet from 66.127.20.234:500: ignoring > Vendor ID payload [810fa565f8ab14369105d706fbd57279] > Oct 20 14:36:57 cw1 pluto[10473]: packet from 66.127.20.234:500: received > Vendor ID payload [Dead Peer Detection] > Oct 20 14:36:57 cw1 pluto[10473]: "sanjose"[5] 66.127.20.234 #6: responding > to Main Mode from unknown peer 66.127.20.234 > Oct 20 14:36:58 cw1 pluto[10473]: "sanjose"[5] 66.127.20.234 #6: ignoring > Vendor ID payload [KAME/racoon] > Oct 20 14:36:58 cw1 pluto[10473]: "sanjose"[5] 66.127.20.234 #6: Peer ID is > ID_DER_ASN1_DN: 'CN=Crossbow' > Oct 20 14:36:58 cw1 pluto[10473]: "sanjose"[5] 66.127.20.234 #6: crl not found > Oct 20 14:36:58 cw1 pluto[10473]: "sanjose"[5] 66.127.20.234 #6: certificate > status unknown > Oct 20 14:36:58 cw1 pluto[10473]: "sanjose"[6] 66.127.20.234 #6: deleting > connection "sanjose" instance with peer 66.127.20.234 {isakmp=#0/ipsec=#0} > Oct 20 14:36:58 cw1 pluto[10473]: "sanjose"[6] 66.127.20.234 #6: we have a > cert and are sending it > Oct 20 14:36:58 cw1 pluto[10473]: "sanjose"[6] 66.127.20.234 #6: deleting > connection "grandrapids" instance with peer 50.192.114.17 {isakmp=#0/ipsec=#5} > Oct 20 14:36:58 cw1 pluto[10473]: "grandrapids" #5: deleting state > (STATE_QUICK_R2) > Oct 20 14:36:58 cw1 pluto[10473]: "sanjose"[6] 66.127.20.234 #6: deleting > connection "sanjose" instance with peer 50.192.114.17 {isakmp=#3/ipsec=#0} > Oct 20 14:36:58 cw1 pluto[10473]: "sanjose" #3: deleting state (STATE_MAIN_R3) > Oct 20 14:36:58 cw1 pluto[10473]: "sanjose"[6] 66.127.20.234 #6: sent MR3, > ISAKMP SA established > Oct 20 14:36:58 cw1 pluto[10473]: "sanjose"[6] 66.127.20.234 #6: ignoring > informational payload, type IPSEC_INITIAL_CONTACT > Oct 20 14:36:59 cw1 pluto[10473]: "sanjose"[6] 66.127.20.234 #7: responding > to Quick Mode > Oct 20 14:36:59 cw1 pluto[10473]: "sanjose"[6] 66.127.20.234 #7: IPsec SA > established {ESP=>0x0d044102 <0x9b5c761a} > > On Wed, Oct 17, 2012 at 10:11:10AM -0400, CJ Fearnley wrote: >> After a T1 outage left OpenSwan useless (again), I decided it was time >> to try StrongSwan. The system uses a local CA on the server. Keys and >> certs are in /etc/ipsec.d where we created them for OpenSwan. Nice that >> no change seems to be necessary there. It is a Debian Squeeze system, >> so I'm using the 4.4.1-5.2 version of the strongswan package. > ====================================================================== Andreas Steffen [email protected] strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]== _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
