[Swan] Host-To-Host VPN with multiply interfaces

Paul Wouters paul at nohats.ca
Tue May 17 16:23:39 UTC 2016

On Tue, 17 May 2016, Michael Furman wrote:

> I was able to configure Host-To-Host for the interface eth0 without any prob
> lem. 
> Also, I was able to create new pair of certificates for the interface eth1 a
> nd configure it using the following commands:

The keys yo ugenerated are only used for authentication, not encryption.
usually, multiple tunnels between two gateways all share the same
authentication. If you have a host=host tunnel and you want to add
a net-to-net tunnel using the same gateways, just add a conn and
re-use the same auth information and libreswan will re-use it for both

> I can add channel, but when I try to “up” it I see the following errors: “mu
> ltiple ipsec.secrets entries with distinct secrets match endpoints: first se
> cret used”.

secret entries can have an identifier to lock them to a certain IP or
ID. You have two entries that are "default" entries, so it will have
to pick one. the choice is arbitrary so it warns you.

> The configuration:
> conn ha_eth1
>     leftid=@
>     left=
>         # rsakey AQPe4BcQY
>         leftrsasigkey=0…UQ==
>     rightid=@
>     right=
>         # rsakey AQPRLsAVt
>         rightrsasigkey=0…szi3
>     authby=rsasig
>     ike=aes256-sha2_256;modp2048
>     phase2alg=aes256-sha2_256;modp2048
>     sha2_truncbug=yes
>     # load and initiate automatically
>     auto=start

> 003 "ha_eth1" #11: ignoring informational payload INVALID_KEY_INFORMATION, m
> sgid=00000000, length=12

It looks like the other end also got two entries and picked one you
did not expect on this end?


More information about the Swan mailing list