[Swan] Host-To-Host VPN with multiply interfaces
Paul Wouters
paul at nohats.ca
Tue May 17 16:23:39 UTC 2016
On Tue, 17 May 2016, Michael Furman wrote:
> I was able to configure Host-To-Host for the interface eth0 without any prob
> lem.
>
> Also, I was able to create new pair of certificates for the interface eth1 a
> nd configure it using the following commands:
The keys yo ugenerated are only used for authentication, not encryption.
usually, multiple tunnels between two gateways all share the same
authentication. If you have a host=host tunnel and you want to add
a net-to-net tunnel using the same gateways, just add a conn and
re-use the same auth information and libreswan will re-use it for both
tunnels.
> I can add channel, but when I try to “up” it I see the following errors: “mu
> ltiple ipsec.secrets entries with distinct secrets match endpoints: first se
> cret used”.
secret entries can have an identifier to lock them to a certain IP or
ID. You have two entries that are "default" entries, so it will have
to pick one. the choice is arbitrary so it warns you.
> The configuration:
>
> conn ha_eth1
> leftid=@172.17.0.1
> left=172.17.0.1
> # rsakey AQPe4BcQY
> leftrsasigkey=0…UQ==
> rightid=@172.17.0.2
> right=172.17.0.2
> # rsakey AQPRLsAVt
> rightrsasigkey=0…szi3
> authby=rsasig
> ike=aes256-sha2_256;modp2048
> phase2alg=aes256-sha2_256;modp2048
> sha2_truncbug=yes
> # load and initiate automatically
> auto=start
> 003 "ha_eth1" #11: ignoring informational payload INVALID_KEY_INFORMATION, m
> sgid=00000000, length=12
It looks like the other end also got two entries and picked one you
did not expect on this end?
Paul
More information about the Swan
mailing list