[Swan] Host-To-Host VPN with multiply interfaces
Michael Furman
michael_furman at hotmail.com
Wed May 18 13:40:40 UTC 2016
Thank you for your help!I was able to configure to tunnels between same servers using same RSA keys.
> Date: Tue, 17 May 2016 12:23:39 -0400
> From: paul at nohats.ca
> To: michael_furman at hotmail.com
> CC: swan at lists.libreswan.org
> Subject: RE: [Swan] Host-To-Host VPN with multiply interfaces
>
> On Tue, 17 May 2016, Michael Furman wrote:
>
> > I was able to configure Host-To-Host for the interface eth0 without any prob
> > lem.
> >
> > Also, I was able to create new pair of certificates for the interface eth1 a
> > nd configure it using the following commands:
>
> The keys yo ugenerated are only used for authentication, not encryption.
> usually, multiple tunnels between two gateways all share the same
> authentication. If you have a host=host tunnel and you want to add
> a net-to-net tunnel using the same gateways, just add a conn and
> re-use the same auth information and libreswan will re-use it for both
> tunnels.
>
> > I can add channel, but when I try to “up” it I see the following errors: “mu
> > ltiple ipsec.secrets entries with distinct secrets match endpoints: first se
> > cret used”.
>
> secret entries can have an identifier to lock them to a certain IP or
> ID. You have two entries that are "default" entries, so it will have
> to pick one. the choice is arbitrary so it warns you.
>
> > The configuration:
> >
> > conn ha_eth1
> > leftid=@172.17.0.1
> > left=172.17.0.1
> > # rsakey AQPe4BcQY
> > leftrsasigkey=0…UQ==
> > rightid=@172.17.0.2
> > right=172.17.0.2
> > # rsakey AQPRLsAVt
> > rightrsasigkey=0…szi3
> > authby=rsasig
> > ike=aes256-sha2_256;modp2048
> > phase2alg=aes256-sha2_256;modp2048
> > sha2_truncbug=yes
> > # load and initiate automatically
> > auto=start
>
> > 003 "ha_eth1" #11: ignoring informational payload INVALID_KEY_INFORMATION, m
> > sgid=00000000, length=12
>
> It looks like the other end also got two entries and picked one you
> did not expect on this end?
>
> Paul
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20160518/4a449960/attachment-0001.html>
More information about the Swan
mailing list