[Swan] Multiple Route-based VPNs between identical peers

Craig Marker cmarker at inspeednetworks.com
Tue Feb 7 01:04:20 UTC 2017 

I’m still having trouble making this configuration work...

Here are my .conf files… Of note: ‘client’ and ‘server’ are names of the certificates. They are unique on each host, despite
having the same name. Let me know if any logs would be useful.

Host 1:

conn tunisp5
    leftid=%fromcert
    left=192.168.1.129
    leftrsasigkey=%cert
    leftsubnet=0.0.0.0/0
    rightid=%fromcert
    right=54.167.198.105
    rightrsasigkey=%cert
    rightsubnet=0.0.0.0/0
    leftcert=client
    authby=rsasig
    keyingtries=%forever
    vti-interface=tunisp5
    vti-routing=no
    mark=0x5/0xff

Host 2:

conn tunisp1
    leftid=%fromcert
    left=192.168.1.125
    leftrsasigkey=%cert
    leftsubnet=0.0.0.0/0
    rightid=%fromcert
    right=54.167.198.105
    rightrsasigkey=%cert
    rightsubnet=0.0.0.0/0
    leftcert=client
    vti-interface=tunisp1
    vti-routing=no
    mark=0x1/0xff
    authby=rsasig
    keyingtries=%forever

AWS Instance Connections:

This one goes with Host 1.
conn tunisp1
    leftid="C=*, ST=*, L=*, O=*, OU=*, CN=d1855a56-72db-4b26-9329-0906f8950697"
    left=%any
    leftrsasigkey=%cert
    leftsubnet=0.0.0.0/0
    rightid=%fromcert
    right=172.31.51.10
    rightrsasigkey=%cert
    rightsubnet=0.0.0.0/0
    rightcert=server
    vti-interface=tunisp1
    vti-routing=no
    mark=0x1/0xff
    authby=rsasig
    keyingtries=%forever

This one goes with Host 2.
conn tunisp2
    leftid="C=*, ST=*, L=*, O=*, OU=*, CN=fb7a8f76-a93b-429f-bb29-8546122bcc02"
    left=%any
    leftrsasigkey=%cert
    leftsubnet=0.0.0.0/0
    rightid=%fromcert
    right=172.31.51.10
    rightrsasigkey=%cert
    rightsubnet=0.0.0.0/0
    rightcert=server
    vti-interface=tunisp2
    vti-routing=no
    mark=0x2/0xff
    authby=rsasig
    keyingtries=%forever

I believe the problem lies within the ip tunnel creation. On the AWS instance, my tunnels look like this:

tunisp1: ip/ip  remote any  local 172.31.51.10  ttl inherit  key 1
tunisp2: ip/ip  remote any  local 172.31.51.10  ttl inherit  key 2

If I change the remote to be their public IP address, it’s still identical. It’s unclear how the decision is made for which one
can pass traffic and which one cannot, but when I delete the tunnel that is passing traffic, the other one becomes able to 
pass traffic.

--
cm

> On Jan 31, 2017, at 11:57 AM, Paul Wouters <paul at nohats.ca> wrote:
> 
> On Tue, 31 Jan 2017, Craig Marker wrote:
> 
>> I’m trying to setup multiple IPSec VTIs between two peers, but I haven’t been able to have both connections up at the
>> same time.
>> I have two linux boxes on my local network that I’m trying to configure to connect to a single AWS instance. The
>> route-based VPN 
>> functionality works great when there is only one tunnel present, but fails where there is two. Of note, the
>> negotiation succeeds,
> 
> Are you using different mark= values for the different conns, as well as
> a different vti name for the interface?
> 
>> however, I’m only able to ping across one of the tunnels.
> 
> This might be just related to how you ping. If not specifying ping -I,
> you might just be using the source ip of one of your two tunnels?
> 
>> I’ve played around with a handful of configuration options to no avail. ‘vti-shared=yes’ doesn’t give me the
>> functionality I need — I want unique tunnels
>> for each connection.
> 
> It should just work.
> 
> Paul

More information about the Swan mailing list