SYSTEM WARNING: 'date_default_timezone_get(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone.' in '/usr/share/mantis/www/core.php' line 264

0002741: IPSEC - multiple tunnels - MantisBT Endian Bugtracker
Endian Issue Tracker





Please see now our new Bugtracker system: JIRA








View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0002741Endian FirewallNetwork related (VPN, uplinks)public2010-03-02 11:582010-05-26 17:23
Reportermvrk 
Assigned To 
PrioritynormalSeveritymajorReproducibilityalways
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version2.3 
Target VersionFixed in Version 
Summary0002741: IPSEC - multiple tunnels
DescriptionI’ve an Endian Firewall 2.3 that is running openswan 2.4.13, and I’ve configured it to connect to other office cisco firewall

The other side only gives me access to 2 IPs not all subnet, my problem is that the 2 tunnels come up ok but only the second one has acess to my leftsubnet.

Both 10.112.32.78 and 10.112.32.70 can ping any ip on 192.168.2.0/24, but only 10.112.32.70 can really connect to any port of any ip on 192.168.2.0/24, it seems that the last tunnel to come up is the one that gets access to my network, this problem won’t happen on 2.6.x, but is difficult to change to a new version on this system because the kernel has the old nat-t patch applied.

Any configuration I can make to avoid this problem?

This is my current configuration :

conn VDBSERVER
        dpdaction=restart
        dpddelay=30
        dpdtimeout=120
        left=my public ip
        leftnexthop=%defaultroute
        leftsubnet=192.168.2.0/24
        leftsourceip=192.168.2.254
        right=cisco public ip
        rightsubnet=10.112.32.78/32
        rightnexthop=%defaultroute
        leftid=my public ip
        rightid=cisco public ip
        authby=secret
        pfs=yes
        ikelifetime=1h
        keylife=8h
        ike=aes256-sha-modp1024
        esp=aes256-sha1
        auto=start

conn VTSERVER
        dpdaction=restart
        dpddelay=30
        dpdtimeout=120
        left=my public ip
        leftnexthop=%defaultroute
        leftsubnet=192.168.2.0/24
        leftsourceip=192.168.2.254
        right=cisco public ip
        rightsubnet=10.112.32.70/32
        rightnexthop=%defaultroute
        leftid=my public ip
        rightid=cisco public ip
        authby=secret
        pfs=yes
        ikelifetime=1h
        keylife=8h
        ike=aes256-sha-modp1024
        esp=aes256-sha1
        auto=start
TagsNo tags attached.
Attached Files

- Relationships
child of 0001935confirmedpeter-endian issues to fix with ipsec (openswan) 

-  Notes
(0003914)
peter-endian (administrator)
2010-03-04 14:01

unfortunately we can't update openswan right now, a kernel upgrade which allows uprgade of openswan is scheduled for next version

now to the problem. we have such scenarios, but they do not have that issue.
can you try to analyze if you see packets coming on your tunnel side? (with tcpdump)

if you can ping you should be able also to connect to a port unless a firewall rule filters tcp/upd.
(0004268)
christian-endian (administrator)
2010-05-26 17:23

has been fixed with the upgrade to openswan 2.6.24

- Issue History
Date Modified Username Field Change
2010-03-02 11:58 mvrk New Issue
2010-03-04 13:55 peter-endian Relationship added child of 0001935
2010-03-04 14:01 peter-endian Note Added: 0003914
2010-03-04 14:01 peter-endian Status new => feedback
2010-05-26 17:23 christian-endian Note Added: 0004268
2010-05-26 17:23 christian-endian Status feedback => closed
2010-05-26 17:23 christian-endian Resolution open => fixed

Copyright © 2005-2008 Endian, SRL. All rights reserved.


Copyright © 2000 - 2012 MantisBT Group
Powered by Mantis Bugtracker