[strongSwan] Issues establishing multiple IKEv1 Site-to-Site Tunnels to the same peer

Jeff Leung jleung at v10networks.ca
Thu Feb 12 09:57:04 CET 2015


Hello all,

As you may have known around the VyOS/EdgeOS community, I am the poor
guy who decided to upgrade 
the strongSwan stack from 4.5.2 to 5.2.2. Yes, it was an eye-opener on
how the scripts were written back
in the day and I'm surprised it still even works today.

During testing, I've noticed that establishing multiple IKEv1 tunnels
between strongSwan 5.2.2 doesn't
work as expected with configurations being both generated by
VyOS/EdgeOS/Vyatta's vpn-config.pl. 
One of the tunnels specified in ipsec.conf does work, but the other one
does not. I am pasting charon's
logger from ike/cfg at level 2:

-- BEGIN LOG--
Feb 12 08:41:14 vyos-2 ipsec_starter[2970]: Starting strongSwan 5.2.2
IPsec [starter]...
Feb 12 08:41:14 vyos-2 ipsec_starter[2970]: # deprecated keyword
'interfaces' in config setup
Feb 12 08:41:14 vyos-2 ipsec_starter[2970]: ### 1 parsing error (0
fatal) ###
Feb 12 08:41:14 vyos-2 ipsec_starter[2986]: charon (2987) started after
20 ms
Feb 12 08:41:14 vyos-2 charon: 12[IKE] initiating Main Mode IKE_SA
peer-192.168.2.1-tunnel-0[1] to 192.168.2.1
Feb 12 08:41:39 vyos-2 charon: 04[IKE] sending retransmit 3 of request
message ID 0, seq 1
Feb 12 08:41:45 vyos-2 charon: 16[CFG] looking for an ike config for
192.168.2.2...192.168.2.1
Feb 12 08:41:45 vyos-2 charon: 16[CFG]   candidate:
192.168.2.2...192.168.2.1, prio 3100
Feb 12 08:41:45 vyos-2 charon: 16[CFG] found matching ike config:
192.168.2.2...192.168.2.1 with prio 3100
Feb 12 08:41:45 vyos-2 charon: 16[IKE] received XAuth vendor ID
Feb 12 08:41:45 vyos-2 charon: 16[IKE] received DPD vendor ID
Feb 12 08:41:45 vyos-2 charon: 16[IKE] received NAT-T (RFC 3947) vendor
ID
Feb 12 08:41:45 vyos-2 charon: 16[IKE] received
draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Feb 12 08:41:45 vyos-2 charon: 16[IKE] 192.168.2.1 is initiating a Main
Mode IKE_SA
Feb 12 08:41:45 vyos-2 charon: 16[IKE] IKE_SA (unnamed)[2] state change:
CREATED => CONNECTING
Feb 12 08:41:45 vyos-2 charon: 16[CFG] selecting proposal:
Feb 12 08:41:45 vyos-2 charon: 16[CFG]   proposal matches
Feb 12 08:41:45 vyos-2 charon: 16[CFG] received proposals:
IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Feb 12 08:41:45 vyos-2 charon: 16[CFG] configured proposals:
IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Feb 12 08:41:45 vyos-2 charon: 16[CFG] selected proposal:
IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Feb 12 08:41:45 vyos-2 charon: 16[IKE] sending XAuth vendor ID
Feb 12 08:41:45 vyos-2 charon: 16[IKE] sending DPD vendor ID
Feb 12 08:41:45 vyos-2 charon: 16[IKE] sending NAT-T (RFC 3947) vendor
ID
Feb 12 08:41:45 vyos-2 charon: 06[CFG] looking for pre-shared key peer
configs matching 192.168.2.2...192.168.2.1[192.168.2.1]
Feb 12 08:41:45 vyos-2 charon: 06[CFG]   candidate
"peer-192.168.2.1-tunnel-0", match: 1/20/3100 (me/other/ike)
Feb 12 08:41:45 vyos-2 charon: 06[CFG] selected peer config
"peer-192.168.2.1-tunnel-0"
Feb 12 08:41:45 vyos-2 charon: 06[IKE] IKE_SA
peer-192.168.2.1-tunnel-0[2] established between
192.168.2.2[192.168.2.2]...192.168.2.1[192.168.2.1]
Feb 12 08:41:45 vyos-2 charon: 06[IKE] IKE_SA
peer-192.168.2.1-tunnel-0[2] state change: CONNECTING => ESTABLISHED
Feb 12 08:41:45 vyos-2 charon: 06[IKE] scheduling reauthentication in
27939s
Feb 12 08:41:45 vyos-2 charon: 06[IKE] maximum IKE_SA lifetime 28479s
Feb 12 08:41:45 vyos-2 charon: 03[CFG] looking for a child config for
192.168.4.0/24 === 192.168.3.0/24
Feb 12 08:41:45 vyos-2 charon: 03[CFG] proposing traffic selectors for
us:
Feb 12 08:41:45 vyos-2 charon: 03[CFG]  192.168.4.0/24
Feb 12 08:41:45 vyos-2 charon: 03[CFG] proposing traffic selectors for
other:
Feb 12 08:41:45 vyos-2 charon: 03[CFG]  192.168.3.0/24
Feb 12 08:41:45 vyos-2 charon: 03[CFG]   candidate
"peer-192.168.2.1-tunnel-0" with prio 5+5
Feb 12 08:41:45 vyos-2 charon: 03[CFG] proposing traffic selectors for
us:
Feb 12 08:41:45 vyos-2 charon: 03[CFG]  10.0.11.0/24
Feb 12 08:41:45 vyos-2 charon: 03[CFG] proposing traffic selectors for
other:
Feb 12 08:41:45 vyos-2 charon: 03[CFG]  10.0.10.0/24
Feb 12 08:41:45 vyos-2 charon: 03[CFG] found matching child config
"peer-192.168.2.1-tunnel-0" with prio 10
Feb 12 08:41:45 vyos-2 charon: 03[CFG] selecting traffic selectors for
other:
Feb 12 08:41:45 vyos-2 charon: 03[CFG]  config: 192.168.3.0/24,
received: 192.168.3.0/24 => match: 192.168.3.0/24
Feb 12 08:41:45 vyos-2 charon: 03[CFG] selecting traffic selectors for
us:
Feb 12 08:41:45 vyos-2 charon: 03[CFG]  config: 192.168.4.0/24,
received: 192.168.4.0/24 => match: 192.168.4.0/24
Feb 12 08:41:45 vyos-2 charon: 03[CFG] selecting proposal:
Feb 12 08:41:45 vyos-2 charon: 03[CFG]   proposal matches
Feb 12 08:41:45 vyos-2 charon: 03[CFG] received proposals:
ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ
Feb 12 08:41:45 vyos-2 charon: 03[CFG] configured proposals:
ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ
Feb 12 08:41:45 vyos-2 charon: 03[CFG] selected proposal:
ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ
Feb 12 08:41:45 vyos-2 charon: 04[IKE] CHILD_SA
peer-192.168.2.1-tunnel-0{1} established with SPIs c527ed28_i c63527a1_o
and TS 192.168.4.0/24 === 192.168.3.0/24
Feb 12 08:41:45 vyos-2 charon: 04[CFG] looking for a child config for
10.0.11.0/24 === 10.0.10.0/24
Feb 12 08:41:45 vyos-2 charon: 04[CFG] proposing traffic selectors for
us:
Feb 12 08:41:45 vyos-2 charon: 04[CFG]  192.168.4.0/24
Feb 12 08:41:45 vyos-2 charon: 04[CFG] proposing traffic selectors for
other:
Feb 12 08:41:45 vyos-2 charon: 04[CFG]  192.168.3.0/24
Feb 12 08:41:45 vyos-2 charon: 04[CFG] proposing traffic selectors for
us:
Feb 12 08:41:45 vyos-2 charon: 04[CFG]  10.0.11.0/24
Feb 12 08:41:45 vyos-2 charon: 04[CFG] proposing traffic selectors for
other:
Feb 12 08:41:45 vyos-2 charon: 04[CFG]  10.0.10.0/24
Feb 12 08:41:45 vyos-2 charon: 04[CFG]   candidate
"peer-192.168.2.1-tunnel-1" with prio 5+5
Feb 12 08:41:45 vyos-2 charon: 04[CFG] found matching child config
"peer-192.168.2.1-tunnel-1" with prio 10
Feb 12 08:41:45 vyos-2 charon: 04[CFG] selecting traffic selectors for
other:
Feb 12 08:41:45 vyos-2 charon: 04[CFG]  config: 10.0.10.0/24, received:
10.0.10.0/24 => match: 10.0.10.0/24
Feb 12 08:41:45 vyos-2 charon: 04[CFG] selecting traffic selectors for
us:
Feb 12 08:41:45 vyos-2 charon: 04[CFG]  config: 10.0.11.0/24, received:
10.0.11.0/24 => match: 10.0.11.0/24
Feb 12 08:41:45 vyos-2 charon: 04[CFG] selecting proposal:
Feb 12 08:41:45 vyos-2 charon: 04[CFG]   proposal matches
Feb 12 08:41:45 vyos-2 charon: 04[CFG] received proposals:
ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ
Feb 12 08:41:45 vyos-2 charon: 04[CFG] configured proposals:
ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ
Feb 12 08:41:45 vyos-2 charon: 04[CFG] selected proposal:
ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ
Feb 12 08:41:45 vyos-2 charon: 12[IKE] CHILD_SA
peer-192.168.2.1-tunnel-1{2} established with SPIs c3108539_i cadb681d_o
and TS 10.0.11.0/24 === 10.0.10.0/24
Feb 12 08:42:02 vyos-2 charon: 03[IKE] sending retransmit 4 of request
message ID 0, seq 1
Feb 12 08:42:02 vyos-2 charon: 02[IKE] received XAuth vendor ID
Feb 12 08:42:02 vyos-2 charon: 02[IKE] received DPD vendor ID
Feb 12 08:42:02 vyos-2 charon: 02[IKE] received NAT-T (RFC 3947) vendor
ID
Feb 12 08:42:02 vyos-2 charon: 02[CFG] selecting proposal:
Feb 12 08:42:02 vyos-2 charon: 02[CFG]   proposal matches
Feb 12 08:42:02 vyos-2 charon: 02[CFG] received proposals:
IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Feb 12 08:42:02 vyos-2 charon: 02[CFG] configured proposals:
IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Feb 12 08:42:02 vyos-2 charon: 02[CFG] selected proposal:
IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Feb 12 08:42:02 vyos-2 charon: 02[IKE] reinitiating already active tasks
Feb 12 08:42:02 vyos-2 charon: 02[IKE]   ISAKMP_VENDOR task
Feb 12 08:42:02 vyos-2 charon: 02[IKE]   MAIN_MODE task
Feb 12 08:42:02 vyos-2 charon: 01[IKE] reinitiating already active tasks
Feb 12 08:42:02 vyos-2 charon: 01[IKE]   ISAKMP_VENDOR task
Feb 12 08:42:02 vyos-2 charon: 01[IKE]   MAIN_MODE task
Feb 12 08:42:02 vyos-2 charon: 04[IKE] IKE_SA
peer-192.168.2.1-tunnel-0[1] established between
192.168.2.2[192.168.2.2]...192.168.2.1[192.168.2.1]
Feb 12 08:42:02 vyos-2 charon: 04[IKE] IKE_SA
peer-192.168.2.1-tunnel-0[1] state change: CONNECTING => ESTABLISHED
Feb 12 08:42:02 vyos-2 charon: 04[IKE] scheduling reauthentication in
27857s
Feb 12 08:42:02 vyos-2 charon: 04[IKE] maximum IKE_SA lifetime 28397s
Feb 12 08:42:02 vyos-2 charon: 04[IKE] activating new tasks
Feb 12 08:42:02 vyos-2 charon: 04[IKE]   activating QUICK_MODE task
Feb 12 08:42:02 vyos-2 charon: 04[CFG] configured proposals:
ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ
Feb 12 08:42:02 vyos-2 charon: 04[CFG] configured proposals:
ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ
Feb 12 08:42:02 vyos-2 charon: 04[CFG] proposing traffic selectors for
us:
Feb 12 08:42:02 vyos-2 charon: 04[CFG]  192.168.4.0/24
Feb 12 08:42:02 vyos-2 charon: 04[CFG] proposing traffic selectors for
other:
Feb 12 08:42:02 vyos-2 charon: 04[CFG]  192.168.3.0/24
Feb 12 08:42:02 vyos-2 charon: 12[CFG] selecting proposal:
Feb 12 08:42:02 vyos-2 charon: 12[CFG]   proposal matches
Feb 12 08:42:02 vyos-2 charon: 12[CFG] received proposals:
ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ
Feb 12 08:42:02 vyos-2 charon: 12[CFG] configured proposals:
ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ
Feb 12 08:42:02 vyos-2 charon: 12[CFG] selected proposal:
ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ
Feb 12 08:42:02 vyos-2 charon: 12[CFG] unable to install policy
192.168.4.0/24 === 192.168.3.0/24 out (mark 0/0x00000000) for reqid 3,
the same policy for reqid 1 exists
Feb 12 08:42:02 vyos-2 charon: 12[CFG] unable to install policy
192.168.3.0/24 === 192.168.4.0/24 in (mark 0/0x00000000) for reqid 3,
the same policy for reqid 1 exists
Feb 12 08:42:02 vyos-2 charon: 12[CFG] unable to install policy
192.168.3.0/24 === 192.168.4.0/24 fwd (mark 0/0x00000000) for reqid 3,
the same policy for reqid 1 exists
Feb 12 08:42:02 vyos-2 charon: 12[CFG] unable to install policy
192.168.4.0/24 === 192.168.3.0/24 out (mark 0/0x00000000) for reqid 3,
the same policy for reqid 1 exists
Feb 12 08:42:02 vyos-2 charon: 12[CFG] unable to install policy
192.168.3.0/24 === 192.168.4.0/24 in (mark 0/0x00000000) for reqid 3,
the same policy for reqid 1 exists
Feb 12 08:42:02 vyos-2 charon: 12[CFG] unable to install policy
192.168.3.0/24 === 192.168.4.0/24 fwd (mark 0/0x00000000) for reqid 3,
the same policy for reqid 1 exists
Feb 12 08:42:02 vyos-2 charon: 12[IKE] unable to install IPsec policies
(SPD) in kernel
Feb 12 08:42:02 vyos-2 charon: 12[IKE] queueing INFORMATIONAL task
Feb 12 08:42:02 vyos-2 charon: 12[IKE] activating new tasks
Feb 12 08:42:02 vyos-2 charon: 12[IKE]   activating QUICK_MODE task
Feb 12 08:42:02 vyos-2 charon: 12[CFG] configured proposals:
ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ
Feb 12 08:42:02 vyos-2 charon: 12[CFG] configured proposals:
ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ
Feb 12 08:42:02 vyos-2 charon: 12[CFG] proposing traffic selectors for
us:
Feb 12 08:42:02 vyos-2 charon: 12[CFG]  10.0.11.0/24
Feb 12 08:42:02 vyos-2 charon: 12[CFG] proposing traffic selectors for
other:
Feb 12 08:42:02 vyos-2 charon: 12[CFG]  10.0.10.0/24
Feb 12 08:42:06 vyos-2 charon: 16[IKE] sending retransmit 1 of request
message ID 1519727818, seq 5
Feb 12 08:42:12 vyos-2 charon: 05[IKE] queueing ISAKMP_DELETE task
Feb 12 08:42:12 vyos-2 charon: 05[IKE] activating new tasks
Feb 12 08:42:12 vyos-2 charon: 05[IKE]   activating ISAKMP_DELETE task
Feb 12 08:42:12 vyos-2 charon: 05[IKE] deleting IKE_SA
peer-192.168.2.1-tunnel-0[2] between
192.168.2.2[192.168.2.2]...192.168.2.1[192.168.2.1]
Feb 12 08:42:12 vyos-2 charon: 05[IKE] sending DELETE for IKE_SA
peer-192.168.2.1-tunnel-0[2]
Feb 12 08:42:12 vyos-2 charon: 05[IKE] IKE_SA
peer-192.168.2.1-tunnel-0[2] state change: ESTABLISHED => DELETING
Feb 12 08:42:12 vyos-2 charon: 05[IKE] IKE_SA
peer-192.168.2.1-tunnel-0[2] state change: DELETING => DESTROYING
Feb 12 08:42:13 vyos-2 charon: 02[IKE] sending retransmit 2 of request
message ID 1519727818, seq 5
Feb 12 08:42:26 vyos-2 charon: 04[IKE] sending retransmit 3 of request
message ID 1519727818, seq 5
Feb 12 08:42:29 vyos-2 charon: 12[CFG] proposing traffic selectors for
us:
Feb 12 08:42:29 vyos-2 charon: 12[CFG]  192.168.4.0/24
Feb 12 08:42:29 vyos-2 charon: 12[CFG] proposing traffic selectors for
other:
Feb 12 08:42:29 vyos-2 charon: 12[CFG]  192.168.3.0/24
Feb 12 08:42:29 vyos-2 charon: 12[CFG] proposing traffic selectors for
us:
Feb 12 08:42:29 vyos-2 charon: 12[CFG]  10.0.11.0/24
Feb 12 08:42:29 vyos-2 charon: 12[CFG] proposing traffic selectors for
other:
Feb 12 08:42:29 vyos-2 charon: 12[CFG]  10.0.10.0/24
Feb 12 08:42:49 vyos-2 charon: 04[IKE] sending retransmit 4 of request
message ID 1519727818, seq 5
Feb 12 08:43:31 vyos-2 charon: 16[IKE] sending retransmit 5 of request
message ID 1519727818, seq 5
Feb 12 08:43:44 vyos-2 charon: 03[CFG] proposing traffic selectors for
us:
Feb 12 08:43:44 vyos-2 charon: 03[CFG]  192.168.4.0/24
Feb 12 08:43:44 vyos-2 charon: 03[CFG] proposing traffic selectors for
other:
Feb 12 08:43:44 vyos-2 charon: 03[CFG]  192.168.3.0/24
Feb 12 08:43:44 vyos-2 charon: 03[CFG] proposing traffic selectors for
us:
Feb 12 08:43:44 vyos-2 charon: 03[CFG]  10.0.11.0/24
Feb 12 08:43:44 vyos-2 charon: 03[CFG] proposing traffic selectors for
other:
Feb 12 08:43:44 vyos-2 charon: 03[CFG]  10.0.10.0/24
Feb 12 08:43:53 vyos-2 charon: 11[CFG] proposing traffic selectors for
us:
Feb 12 08:43:53 vyos-2 charon: 11[CFG]  192.168.4.0/24
Feb 12 08:43:53 vyos-2 charon: 11[CFG] proposing traffic selectors for
other:
Feb 12 08:43:53 vyos-2 charon: 11[CFG]  192.168.3.0/24
Feb 12 08:43:53 vyos-2 charon: 11[CFG] proposing traffic selectors for
us:
Feb 12 08:43:53 vyos-2 charon: 11[CFG]  10.0.11.0/24
Feb 12 08:43:53 vyos-2 charon: 11[CFG] proposing traffic selectors for
other:
Feb 12 08:43:53 vyos-2 charon: 11[CFG]  10.0.10.0/24
--END LOG--

The following is the output of ipsec statusall
--BEGIN STATUS ALL--
Status of IKE charon daemon (strongSwan 5.2.2, Linux
3.13.11-1-amd64-vyos, x86_64):
  uptime: 2 minutes, since Feb 12 08:41:14 2015
  malloc: sbrk 516096, mmap 0, used 444752, free 71344
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 5
  loaded plugins: charon ldap sqlite pkcs11 aes des sha1 sha2 md5 random
nonce x509 revocation constraints pubkey pkcs1 pkcs8 pem openssl agent
xcbc cmac ctr ccm gcm curl attr kernel-netlink resolve socket-default
farp stroke updown eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls
xauth-generic xauth-eap dhcp addrblock
Listening IP addresses:
  192.168.2.2
  192.168.4.1
  10.0.11.1
Connections:
peer-192.168.2.1-tunnel-0:  192.168.2.2...192.168.2.1  IKEv1
peer-192.168.2.1-tunnel-0:   local:  [192.168.2.2] uses pre-shared key
authentication
peer-192.168.2.1-tunnel-0:   remote: [192.168.2.1] uses pre-shared key
authentication
peer-192.168.2.1-tunnel-0:   child:  192.168.4.0/24 === 192.168.3.0/24
TUNNEL
peer-192.168.2.1-tunnel-1:   child:  10.0.11.0/24 === 10.0.10.0/24
TUNNEL
Security Associations (1 up, 0 connecting):
peer-192.168.2.1-tunnel-0[1]: ESTABLISHED 111 seconds ago,
192.168.2.2[192.168.2.2]...192.168.2.1[192.168.2.1]
peer-192.168.2.1-tunnel-0[1]: IKEv1 SPIs: 0878a00b87dcc65c_i*
3b2c83b7e08b7fb6_r, pre-shared key reauthentication in 7 hours
peer-192.168.2.1-tunnel-0[1]: IKE proposal:
AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
peer-192.168.2.1-tunnel-0[1]: Tasks queued: INFORMATIONAL
peer-192.168.2.1-tunnel-0[1]: Tasks active: QUICK_MODE
peer-192.168.2.1-tunnel-0{1}:  INSTALLED, TUNNEL, ESP SPIs: c527ed28_i
c63527a1_o
peer-192.168.2.1-tunnel-0{1}:  AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 84
bytes_o (1 pkt, 68s ago), rekeying in 41 minutes
peer-192.168.2.1-tunnel-0{1}:   192.168.4.0/24 === 192.168.3.0/24
peer-192.168.2.1-tunnel-1{2}:  INSTALLED, TUNNEL, ESP SPIs: c3108539_i
cadb681d_o
peer-192.168.2.1-tunnel-1{2}:  AES_CBC_256/HMAC_SHA1_96, 252 bytes_i (3
pkts, 59s ago), 252 bytes_o (3 pkts, 59s ago), rekeying in 40 minutes
peer-192.168.2.1-tunnel-1{2}:   10.0.11.0/24 === 10.0.10.0/24
--END STATUS ALL--

As you can see from the log and status outputs above, you can see that
it's choking on sending out INFORMATIONAL packets 

This is the ipsec.conf file that vpn-config.pl generates:

--BEGIN CONFIG--
# generated by /opt/vyatta/sbin/vpn-config.pl

config setup
        interfaces="%none"

conn clear
        auto=ignore

conn clear-or-private
        auto=ignore

conn private-or-clear
        auto=ignore

conn private
        auto=ignore

conn block
        auto=ignore

conn packetdefault
        auto=ignore

conn %default
        keyexchange=ikev1

conn peer-192.168.2.1-tunnel-0
        left=192.168.2.2
        right=192.168.2.1
        leftsubnet=192.168.4.0/24
        rightsubnet=192.168.3.0/24
        ike=aes256-sha1-modp1024!
        keyexchange=ikev1
        ikelifetime=28800s
        esp=aes256-sha1-modp1024!
        keylife=3600s
        rekeymargin=540s
        type=tunnel
        compress=no
        authby=secret
        auto=start
        keyingtries=%forever
#conn peer-192.168.2.1-tunnel-0

conn peer-192.168.2.1-tunnel-1
        left=192.168.2.2
        right=192.168.2.1
        leftsubnet=10.0.11.0/24
        rightsubnet=10.0.10.0/24
        ike=aes256-sha1-modp1024!
        keyexchange=ikev1
        ikelifetime=28800s
        esp=aes256-sha1-modp1024!
        keylife=3600s
        rekeymargin=540s
        type=tunnel
        compress=no
        authby=secret
        auto=start
        keyingtries=%forever
#conn peer-192.168.2.1-tunnel-1

include /etc/dmvpn.conf
--END CONFIG--

For troubleshooting purposes, I have deleted the conn clear,
clear-or-private, private-or-clear, private, packetdefault, block
directives to ensure that left over pluto definitions were not causing
issues. Once they were removed, both ends with similar
configurations started to successfully establish multiple IKEv1 tunnels
to the same peer.

Were there changes from the days when pluto that is now considered as
incompatible with strongSwan?

-- Jeff


More information about the Users mailing list