openswan 2.6.50 doesn't bring up connections automatically in rightsubnets except the last one

[freedai]

It seems only happen when both sides are using openswan 2.6.50.

ipsec.conf

version 2.0

config setup
    interfaces="ipsec0=eth1"
    klipsdebug=none
    plutodebug="control controlmore klips lifecycle"
    uniqueids=yes
    virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!172.30.66.0/24
    nat_traversal=yes
    nhelpers=0

conn %default
    authby=rsasig
    leftrsasigkey=%cert
    rightrsasigkey=%cert
    keyingtries=2
    rekeymargin="10"
    leftupdown=/etc/ipsec.d/scripts/ipsec.updown
    rightupdown=/etc/ipsec.d/scripts/ipsec.updown
    leftsendcert=always
    ike=3des-sha1,aes-sha1,3des-md5,aes-md5,aes256-sha1,aes256-md5

# Disable opportunistic encryption
conn block
    auto=ignore

conn private
    auto=ignore

conn private-or-clear
    auto=ignore

conn clear-or-private
    auto=ignore

conn clear
    auto=ignore

conn packetdefault
    auto=ignore

include /etc/ipsec.d/conn/connection-*-*-*

ipsec.d/conn/connection-10.50.10.186-10.50.10.104-0-1

conn connection-10.50.10.186-10.50.10.104-0-1
    right=10.50.10.104
    left=10.50.10.186
    authby=rsasig
    rightid="/CN=deviceid-4969..."
    leftid="/CN=deviceid-4972..."
    leftsubnet=172.30.67.1/24
    rightsubnets={192.168.162.0/24, 192.168.163.0/24, 192.168.65.1/24}
    auto=start
    ikelifetime=3600s
    keylife=28800s
    leftupdown=""
    leftnexthop=10.50.10.104
    rightnexthop=10.50.10.186
    pfs=no
    leftcert=/etc/pki/custom/HA_Identity.crt
    leftca=/etc/ipsec.d/cacerts/tw-bundle.crt
    ike=3des-md5;modp2048
    phase2alg=3des-sha1;dh23

After restart ipsec

# ipsec eroute
0          172.30.67.0/24     -> 192.168.65.0/24    => tun0x1001@10.50.10.104
# ipsec whack --status
000 "connection-10.50.10.186-10.50.10.104-0-1/0x1": 172.30.67.0/24===10.50.10.186[CN=deviceid-4972]...10.50.10.104[CN=deviceid-4969.]===192.168.162.0/24; unrouted; eroute owner: #0
...
000 "connection-10.50.10.186-10.50.10.104-0-1/0x2": 172.30.67.0/24===10.50.10.186[CN=deviceid-4972.]...10.50.10.104[CN=deviceid-4969.]===192.168.163.0/24; unrouted; eroute owner: #0
...
000 "connection-10.50.10.186-10.50.10.104-0-1/0x3": 172.30.67.0/24===10.50.10.186[CN=deviceid-4972.]...10.50.10.104[CN=deviceid-4969.]===192.168.65.0/24; erouted; eroute owner: #2

You can see first two connections are unrouted. After I manually ran 'ipsec auto --up connection-10.50.10.186-10.50.10.104-0-1', all three connections are erouted and can see in ipsec eroute.

[freedai]

Tried 2.6.51dev6 and seemed fix the problem. Is there expected date soon to release 2.6.51?

[shussain]

@freedai We are currently testing 2.6.51

Once the testing is completed, we will release 2.6.51

[freedai]

Seems fixes of wo#6760 addressed the issue. Is it safe to back port the following commits to 2.6.50?

cc70458
d8f948c

[mcr]

Feng <notifications@github.com> wrote: Seems fixes of wo#6760 addressed the issue. Is it safe to back port the following commits to 2.6.50? cc70458 d8f948c Probably.

…

-- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software Works | network architect [ ] mcr@sandelman.ca http://www.sandelman.ca/ | ruby on rails [