Hi Jean-Francois, > could you check who many tunnels are setup in the kernel, the right > number i believe. Does the selector (SPD) matches what's been negotiated > between openswan and isakmpd ?
Looks like the original problem is not reproducable. It might have been a side effect of the second problem i have (however, i'm still not sure if OpenSwan or isakmpd is the one to blame here): OpenSwan (road warrior) <---> isakmpd (fixed address A.B.C.D) One tunnel defined (net1 <-> net2) Estblishing the connection works OK. OpenSwan output: [EMAIL PROTECTED]:~# ipsec auto --status 000 interface ipsec0/ppp0 84.178.106.33 [...] 000 #2: "colab":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 28098s; newest IPSEC; eroute owner 000 #2: "colab" [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] 000 #1: "colab":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 2874s; newest ISAKMP; lastdpd=3s(seq in:30589 out:0) 000 isakmpd: # setkey -D | more 84.178.106.33 A.B.C.D esp mode=tunnel spi=1787212810(0x6a86b40a) reqid=0(0x00000000) E: aes-cbc 403b6d34 e1616004 2a9193da 733215ad 122c0226 903aaeea 4087870c ca57d4b4 A: hmac-sha1 f8a36d4b fb89bd67 3521d5e0 3500a679 e32333e6 seq=0x00000000 replay=0 flags=0x00000000 state=mature created: Jan 6 16:53:44 2006 current: Jan 6 16:54:22 2006 diff: 38(s) hard: 28800(s) soft: 25920(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 sadb_seq=1 pid=23263 refcnt=0 A.B.C.D 84.178.106.33 esp mode=tunnel spi=3031293149(0xb4addcdd) reqid=0(0x00000000) E: aes-cbc 8067521a d19959c1 27c5c4ea f46eaedf 634f4cc5 c059bcbc 42194800 4f40b437 A: hmac-sha1 d8e73654 fd41cfde 79150a54 cc0b17e7 6ff3dca4 seq=0x00000000 replay=0 flags=0x00000000 state=mature created: Jan 6 16:53:43 2006 current: Jan 6 16:54:22 2006 diff: 39(s) hard: 28800(s) soft: 25920(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 sadb_seq=0 pid=23263 refcnt=0 # setkey -DP | more net1[any] net2[any] any in ipsec esp/tunnel/84.178.106.33-A.B.C.D/use created: Jan 6 16:53:44 2006 lastused: lifetime: 0(s) validtime: 0(s) spid=3960 seq=25 pid=23288 refcnt=1 net2[any] net1[any] any out ipsec esp/tunnel/A.B.C.D-84.178.106.33/require created: Jan 6 16:53:44 2006 lastused: lifetime: 0(s) validtime: 0(s) spid=3953 seq=24 pid=23288 refcnt=1 Now the roadwarrior is disconnected by the carrier and reconnects with a different IP address (simulated by a reboot of the OpenWRT box/OpenSwan): OpenSwan output: [EMAIL PROTECTED]:~# ipsec auto --status 000 interface ipsec0/ppp0 84.178.127.193 [...] 000 #2: "colab":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 27965s; newest IPSEC; eroute owner 000 #2: "colab" [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] 000 #1: "colab":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 2944s; newest ISAKMP; lastdpd=4s(seq in:31921 out:0) isakmpd: # setkey -D | more 84.178.127.193 A.B.C.D esp mode=tunnel spi=776575429(0x2e4999c5) reqid=0(0x00000000) E: aes-cbc 876889c8 d2c133ae 33ed52d3 7cb86f5f 9187dc2a d13dfa5a 9ff4ccc5 da5971a9 A: hmac-sha1 75b80006 6fc795d2 a812cf33 83132101 7f43c8ec seq=0x00000000 replay=0 flags=0x00000000 state=mature created: Jan 6 17:01:07 2006 current: Jan 6 17:03:02 2006 diff: 115(s) hard: 28800(s) soft: 25920(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 sadb_seq=3 pid=23330 refcnt=0 84.178.106.33 A.B.C.D esp mode=tunnel spi=1787212810(0x6a86b40a) reqid=0(0x00000000) E: aes-cbc 403b6d34 e1616004 2a9193da 733215ad 122c0226 903aaeea 4087870c ca57d4b4 A: hmac-sha1 f8a36d4b fb89bd67 3521d5e0 3500a679 e32333e6 seq=0x00000000 replay=0 flags=0x00000000 state=mature created: Jan 6 16:53:44 2006 current: Jan 6 17:03:02 2006 diff: 558(s) hard: 28800(s) soft: 25920(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 sadb_seq=2 pid=23330 refcnt=0 A.B.C.D 84.178.106.33 esp mode=tunnel spi=3031293149(0xb4addcdd) reqid=0(0x00000000) E: aes-cbc 8067521a d19959c1 27c5c4ea f46eaedf 634f4cc5 c059bcbc 42194800 4f40b437 A: hmac-sha1 d8e73654 fd41cfde 79150a54 cc0b17e7 6ff3dca4 seq=0x00000000 replay=0 flags=0x00000000 state=mature created: Jan 6 16:53:43 2006 current: Jan 6 17:03:02 2006 diff: 559(s) hard: 28800(s) soft: 25920(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 sadb_seq=1 pid=23330 refcnt=0 A.B.C.D 84.178.127.193 esp mode=tunnel spi=83161463(0x04f4f177) reqid=0(0x00000000) E: aes-cbc 865aef4f 11a54abb 73fc05bc 31cc7c24 179427bc 402ed538 c18aa856 0ce1276c A: hmac-sha1 046b5bcf 0817191b 0ce33654 ec7a2ab7 3cf95e97 seq=0x00000000 replay=0 flags=0x00000000 state=mature created: Jan 6 17:01:06 2006 current: Jan 6 17:03:02 2006 diff: 116(s) hard: 28800(s) soft: 25920(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 sadb_seq=0 pid=23330 refcnt=0 # setkey -DP | more net1[any] net2[any] any in ipsec esp/tunnel/84.178.106.33-A.B.C.D/use created: Jan 6 16:53:44 2006 lastused: lifetime: 0(s) validtime: 0(s) spid=3960 seq=25 pid=23332 refcnt=1 net2[any] net1[any] any out ipsec esp/tunnel/A.B.C.D-84.178.106.33/require created: Jan 6 16:53:44 2006 lastused: lifetime: 0(s) validtime: 0(s) spid=3953 seq=24 pid=23332 refcnt=1 Although new ISAKMP and IPSEC SAs have been established, the SPD entries are not updated (still pointing to the old IP address). Thanks, Jochen -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]