[Swan] Host-To-Host VPN with multiply interfaces

Michael Furman michael_furman at hotmail.com
Tue May 17 09:56:53 UTC 2016 

Dear Paul,Thank you for the fast reply. I will clarify my question.I was able to configure Host-To-Host for the interface eth0 without any problem.  Also, I was able to create new pair of certificates for the interface eth1 and configure it using the following commands: ipsec newhostkey --configdir /etc/ipsec.d --output /etc/ipsec.d/site2.secretsipsec showhostkey –leftipsec showhostkey –right  You can see the configuration below. I can add channel, but when I try to “up” it I see the following errors: “multiple ipsec.secrets entries with distinct secrets match endpoints: first secret used”. See below the error output. Finally the tunnel can not be started.How can I resolve the problem and to configure 2 tunnels that connects same servers? Thank you for your help in advance!    The configuration:conn ha_eth1    leftid=@172.17.0.1    left=172.17.0.1         # rsakey AQPe4BcQY        leftrsasigkey=0…UQ==      rightid=@172.17.0.2    right=172.17.0.2          # rsakey AQPRLsAVt        rightrsasigkey=0…szi3      authby=rsasig    ike=aes256-sha2_256;modp2048    phase2alg=aes256-sha2_256;modp2048    sha2_truncbug=yes     # load and initiate automatically    auto=start  The error output: [root@ ipsec.d]# ipsec auto --add  "ha_eth1"002 "ha_eth1": deleting connection002 "ha_eth1" #9: deleting state (STATE_MAIN_I3)002 "ha_eth1" #10: deleting state (STATE_MAIN_R2)002 added connection description "ha_eth1"[root@ ipsec.d]# ipsec auto --up  "ha_eth1"002 "ha_eth1" #11: initiating Main Mode104 "ha_eth1" #11: STATE_MAIN_I1: initiate003 "ha_eth1" #11: received Vendor ID payload [Dead Peer Detection]003 "ha_eth1" #11: received Vendor ID payload [FRAGMENTATION]003 "ha_eth1" #11: received Vendor ID payload [RFC 3947]002 "ha_eth1" #11: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)002 "ha_eth1" #11: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2106 "ha_eth1" #11: STATE_MAIN_I2: sent MI2, expecting MR2003 "ha_eth1" #11: NAT-Traversal: Result using RFC 3947 (NAT-Traversal) sender port 500: no NAT detected003 "ha_eth1" #11: multiple ipsec.secrets entries with distinct secrets match endpoints: first secret used002 "ha_eth1" #11: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3108 "ha_eth1" #11: STATE_MAIN_I3: sent MI3, expecting MR3003 "ha_eth1" #11: ignoring informational payload INVALID_KEY_INFORMATION, msgid=00000000, length=12003 "ha_eth1" #11: received and ignored informational message003 "ha_eth1" #11: discarding duplicate packet; already STATE_MAIN_I3010 "ha_eth1" #11: STATE_MAIN_I3: retransmission; will wait 10s for response003 "ha_eth1" #11: ignoring informational payload INVALID_KEY_INFORMATION, msgid=00000000, length=12003 "ha_eth1" #11: received and ignored informational message003 "ha_eth1" #11: discarding duplicate packet; already STATE_MAIN_I3010 "ha_eth1" #11: STATE_MAIN_I3: retransmission; will wait 20s for response003 "ha_eth1" #11: ignoring informational payload INVALID_KEY_INFORMATION, msgid=00000000, length=12003 "ha_eth1" #11: received and ignored informational message031 "ha_eth1" #11: max number of retransmissions (2) reached STATE_MAIN_I3.  Possible authentication failure: no acceptable response to our first encrypted message000 "ha_eth1" #11: starting keying attempt 2 of an unlimited number, but releasing whack   

> Date: Mon, 16 May 2016 15:59:38 -0400
> From: paul at nohats.ca
> To: michael_furman at hotmail.com
> CC: swan at lists.libreswan.org
> Subject: Re: [Swan] Host-To-Host VPN with multiply interfaces
> 
> On Mon, 16 May 2016, Michael Furman wrote:
> 
> > My question how to configure leftrsasigkey and rightrsasigkey.
> 
> You can see an example in the wiki at:
> 
> https://libreswan.org/wiki/Host_to_host_VPN
> 
> > But how can I configure what file to take (site1.secrets or site2.secrets) in the following command?
> 
> libreswan loads all /etc/ipsec.d/*.secrets files automatically (via an
> include statement in /etc/ipsec.secrets. See the above wiki page on
> how to configure these public keys into a *.conf file.
> 
> Please note that libreswan-3.17 has a bug when generating raw keys,
> please use 3.16 for now if generating new rsa keys.
> 
> Paul
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20160517/0a849ad0/attachment-0001.html>

More information about the Swan mailing list