[Swan] Host-To-Host VPN with multiply interfaces

Michael Furman michael_furman at hotmail.com
Wed May 18 13:40:40 UTC 2016 

Thank you for your help!I was able to configure to tunnels between same servers using same RSA keys.



> Date: Tue, 17 May 2016 12:23:39 -0400
> From: paul at nohats.ca
> To: michael_furman at hotmail.com
> CC: swan at lists.libreswan.org
> Subject: RE: [Swan] Host-To-Host VPN with multiply interfaces
> 
> On Tue, 17 May 2016, Michael Furman wrote:
> 
> > I was able to configure Host-To-Host for the interface eth0 without any prob
> > lem. 
> > 
> > Also, I was able to create new pair of certificates for the interface eth1 a
> > nd configure it using the following commands:
> 
> The keys yo ugenerated are only used for authentication, not encryption.
> usually, multiple tunnels between two gateways all share the same
> authentication. If you have a host=host tunnel and you want to add
> a net-to-net tunnel using the same gateways, just add a conn and
> re-use the same auth information and libreswan will re-use it for both
> tunnels.
> 
> > I can add channel, but when I try to “up” it I see the following errors: “mu
> > ltiple ipsec.secrets entries with distinct secrets match endpoints: first se
> > cret used”.
> 
> secret entries can have an identifier to lock them to a certain IP or
> ID. You have two entries that are "default" entries, so it will have
> to pick one. the choice is arbitrary so it warns you.
> 
> > The configuration:
> > 
> > conn ha_eth1
> >     leftid=@172.17.0.1
> >     left=172.17.0.1
> >         # rsakey AQPe4BcQY
> >         leftrsasigkey=0…UQ==
> >     rightid=@172.17.0.2
> >     right=172.17.0.2
> >         # rsakey AQPRLsAVt
> >         rightrsasigkey=0…szi3
> >     authby=rsasig
> >     ike=aes256-sha2_256;modp2048
> >     phase2alg=aes256-sha2_256;modp2048
> >     sha2_truncbug=yes
> >     # load and initiate automatically
> >     auto=start
> 
> > 003 "ha_eth1" #11: ignoring informational payload INVALID_KEY_INFORMATION, m
> > sgid=00000000, length=12
> 
> It looks like the other end also got two entries and picked one you
> did not expect on this end?
> 
> Paul
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20160518/4a449960/attachment-0001.html>

More information about the Swan mailing list