<div>Hi,</div>
<div> </div>
<div>I'm using strongswan version 4.4.1 & I have 4 IKEV1 Host-to-any connections with each as the below configurations:</div>
<div> </div>
<div>conn conn91<br> type=tunnel<br> leftsubnet=<a href="http://10.46.155.203/32">10.46.155.203/32</a><br> rightsubnet=<a href="http://0.0.0.0/0">0.0.0.0/0</a><br> left=10.46.155.203 ( Vlan tunnel endpoint)<br> right=192.168.13.4<br>
keyexchange=ikev1<br> ike=aes128-sha1-modp1024!<br> ikelifetime=85992s<br> esp=null-sha1!<br> authby=pubkey<br> rightid=%any<br> keylife=86400s<br> dpdaction=restart<br> dpddelay=300<br> dpdtimeout=120</div>
<div> </div>
<div>conn conn92</div>
<div>......</div>
<div> </div>
<div>
<div>conn conn93</div>
<div>......</div>
<div> </div>
<div>
<div>conn conn94</div>
<div>.......</div>
<div> </div>
<div>I see that the first connections 94,93, 92 are established & while for connections 91 fails with this error:</div>
<div> </div>
<div> 18669 WAR 01:06:45 140ms syslogd.c(134) "pluto[2146]: "conn94" #24: certificate status unknown"<br> 18671 WAR 01:06:45 148ms syslogd.c(134) "pluto[2146]: "conn94" #24: we require peer to have ID '192.168.13.28', but peer declares <a href="mailto:'cisco_move_cert@nsn.com'">'cisco_move_cert@nsn.com'</a>"<br>
18673 WAR 01:06:45 148ms syslogd.c(134) "pluto[2146]: "conn94" #24: ISAKMP SA established"<br> 18675 WAR 01:06:45 149ms syslogd.c(134) "pluto[2146]: "conn94" #25: initiating Quick Mode PUBKEY+ENCRYPT+TUNNEL+UP {using isakmp#24}"<br>
18677 WAR 01:06:45 152ms syslogd.c(134) "pluto[2146]: "conn94" #25: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME"<br> 18679 WAR 01:06:45 152ms syslogd.c(134) "pluto[2146]: "conn94" #25: You should NOT use insecure ESP algorithms [NULL (0)]!"<br>
18681 WAR 01:06:45 153ms syslogd.c(134) "pluto[2146]: "conn94" #25: cannot route -- route already in use for "conn91""<br> 18724 WAR 01:06:50 153ms syslogd.c(134) "pluto[2146]: "conn94" #25: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME"<br>
18726 WAR 01:06:50 154ms syslogd.c(134) "pluto[2146]: "conn94" #25: You should NOT use insecure ESP algorithms [NULL (0)]!"<br> 18728 WAR 01:06:50 154ms syslogd.c(134) "pluto[2146]: "conn94" #25: cannot route -- route already in use for "conn91""<br>
18843 WAR 01:07:09 843ms syslogd.c(134) "pluto[2146]: "conn93" #22: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME"<br> 18845 WAR 01:07:09 845ms syslogd.c(134) "pluto[2146]: "conn93" #22: You should NOT use insecure ESP algorithms [NULL (0)]!"<br>
18847 WAR 01:07:09 846ms syslogd.c(134) "pluto[2146]: "conn93" #22: cannot route -- route already in use for "conn91""<br> 18849 WAR 01:07:09 846ms syslogd.c(134) "pluto[2146]: "conn92" #23: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME"<br>
18851 WAR 01:07:09 846ms syslogd.c(134) "pluto[2146]: "conn92" #23: You should NOT use insecure ESP algorithms [NULL (0)]!"<br> 18853 WAR 01:07:09 846ms syslogd.c(134) "pluto[2146]: "conn92" #23: cannot route -- route already in use for "conn91""<br>
18871 WAR 01:07:14 226ms syslogd.c(134) "pluto[2146]: "conn93" #21: received Delete SA payload: deleting ISAKMP State #21"<br> 18873 WAR 01:07:14 228ms syslogd.c(134) "pluto[2146]: "conn92" #20: received Delete SA payload: deleting ISAKMP State #20"<br>
18890 WAR 01:07:15 222ms syslogd.c(134) "pluto[2146]: "conn94" #25: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME"<br> 18892 WAR 01:07:15 223ms syslogd.c(134) "pluto[2146]: "conn94" #25: You should NOT use insecure ESP algorithms [NULL (0)]!"<br>
18894 WAR 01:07:15 223ms syslogd.c(134) "pluto[2146]: "conn94" #25: cannot route -- route already in use for "conn91""<br> 18917 WAR 01:07:19 228ms syslogd.c(134) "pluto[2146]: "conn94" #24: received Delete SA payload: deleting ISAKMP State #24"</div>
</div></div>
<div> </div>
<div>I see that the SA's are getting deleted & re-establish each time with this error. This is the ipsec status:</div>
<div> </div>
<div>000<br>000 #4: "conn91" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 85133s; newest IPSEC; eroute owner<br>000 #4: "conn91" <a href="mailto:esp.16012697@192.168.13.4">esp.16012697@192.168.13.4</a> (0 bytes) <a href="mailto:esp.fdb38409@10.46.155.203">esp.fdb38409@10.46.155.203</a> (896 bytes, 34s ago); tunnel<br>
000 #1: "conn91" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 84701s; newest ISAKMP; DPD active<br>000 #28: "conn92" STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_RETRANSMIT in 14s<br>000 #26: "conn92" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 84922s; newest ISAKMP; DPD active<br>
000 #29: "conn93" STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_RETRANSMIT in 14s<br>000 #27: "conn93" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 84942s; newest ISAKMP; DPD active<br>
000 #31: "conn94" STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_RETRANSMIT in 0s<br>000 #30: "conn94" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 85099s; newest ISAKMP; DPD active<br>000</div>
<div> </div>
<div>This is happening only in IKEV1 with more than 3 connections. Please suggest.</div>
<div> </div>
<div> </div>
<div> </div>
<div>Thanks,</div>
<div>Swetha</div>
<div> </div>
<div> </div>