[Swan] Host-To-Host VPN with multiply interfaces
Michael Furman
michael_furman at hotmail.com
Tue May 17 09:56:53 UTC 2016
Dear Paul,Thank you for the fast reply. I will clarify my question.I was able to configure Host-To-Host for the interface eth0 without any problem. Also, I was able to create new pair of certificates for the interface eth1 and configure it using the following commands: ipsec newhostkey --configdir /etc/ipsec.d --output /etc/ipsec.d/site2.secretsipsec showhostkey –leftipsec showhostkey –right You can see the configuration below. I can add channel, but when I try to “up” it I see the following errors: “multiple ipsec.secrets entries with distinct secrets match endpoints: first secret used”. See below the error output. Finally the tunnel can not be started.How can I resolve the problem and to configure 2 tunnels that connects same servers? Thank you for your help in advance! The configuration:conn ha_eth1 leftid=@172.17.0.1 left=172.17.0.1 # rsakey AQPe4BcQY leftrsasigkey=0…UQ== rightid=@172.17.0.2 right=172.17.0.2 # rsakey AQPRLsAVt rightrsasigkey=0…szi3 authby=rsasig ike=aes256-sha2_256;modp2048 phase2alg=aes256-sha2_256;modp2048 sha2_truncbug=yes # load and initiate automatically auto=start The error output: [root@ ipsec.d]# ipsec auto --add "ha_eth1"002 "ha_eth1": deleting connection002 "ha_eth1" #9: deleting state (STATE_MAIN_I3)002 "ha_eth1" #10: deleting state (STATE_MAIN_R2)002 added connection description "ha_eth1"[root@ ipsec.d]# ipsec auto --up "ha_eth1"002 "ha_eth1" #11: initiating Main Mode104 "ha_eth1" #11: STATE_MAIN_I1: initiate003 "ha_eth1" #11: received Vendor ID payload [Dead Peer Detection]003 "ha_eth1" #11: received Vendor ID payload [FRAGMENTATION]003 "ha_eth1" #11: received Vendor ID payload [RFC 3947]002 "ha_eth1" #11: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)002 "ha_eth1" #11: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2106 "ha_eth1" #11: STATE_MAIN_I2: sent MI2, expecting MR2003 "ha_eth1" #11: NAT-Traversal: Result using RFC 3947 (NAT-Traversal) sender port 500: no NAT detected003 "ha_eth1" #11: multiple ipsec.secrets entries with distinct secrets match endpoints: first secret used002 "ha_eth1" #11: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3108 "ha_eth1" #11: STATE_MAIN_I3: sent MI3, expecting MR3003 "ha_eth1" #11: ignoring informational payload INVALID_KEY_INFORMATION, msgid=00000000, length=12003 "ha_eth1" #11: received and ignored informational message003 "ha_eth1" #11: discarding duplicate packet; already STATE_MAIN_I3010 "ha_eth1" #11: STATE_MAIN_I3: retransmission; will wait 10s for response003 "ha_eth1" #11: ignoring informational payload INVALID_KEY_INFORMATION, msgid=00000000, length=12003 "ha_eth1" #11: received and ignored informational message003 "ha_eth1" #11: discarding duplicate packet; already STATE_MAIN_I3010 "ha_eth1" #11: STATE_MAIN_I3: retransmission; will wait 20s for response003 "ha_eth1" #11: ignoring informational payload INVALID_KEY_INFORMATION, msgid=00000000, length=12003 "ha_eth1" #11: received and ignored informational message031 "ha_eth1" #11: max number of retransmissions (2) reached STATE_MAIN_I3. Possible authentication failure: no acceptable response to our first encrypted message000 "ha_eth1" #11: starting keying attempt 2 of an unlimited number, but releasing whack
> Date: Mon, 16 May 2016 15:59:38 -0400
> From: paul at nohats.ca
> To: michael_furman at hotmail.com
> CC: swan at lists.libreswan.org
> Subject: Re: [Swan] Host-To-Host VPN with multiply interfaces
>
> On Mon, 16 May 2016, Michael Furman wrote:
>
> > My question how to configure leftrsasigkey and rightrsasigkey.
>
> You can see an example in the wiki at:
>
> https://libreswan.org/wiki/Host_to_host_VPN
>
> > But how can I configure what file to take (site1.secrets or site2.secrets) in the following command?
>
> libreswan loads all /etc/ipsec.d/*.secrets files automatically (via an
> include statement in /etc/ipsec.secrets. See the above wiki page on
> how to configure these public keys into a *.conf file.
>
> Please note that libreswan-3.17 has a bug when generating raw keys,
> please use 3.16 for now if generating new rsa keys.
>
> Paul
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20160517/0a849ad0/attachment-0001.html>
More information about the Swan
mailing list