[Swan] Multiple Route-based VPNs between identical peers
Craig Marker
cmarker at inspeednetworks.com
Tue Feb 7 01:04:20 UTC 2017
I’m still having trouble making this configuration work...
Here are my .conf files… Of note: ‘client’ and ‘server’ are names of the certificates. They are unique on each host, despite
having the same name. Let me know if any logs would be useful.
Host 1:
conn tunisp5
leftid=%fromcert
left=192.168.1.129
leftrsasigkey=%cert
leftsubnet=0.0.0.0/0
rightid=%fromcert
right=54.167.198.105
rightrsasigkey=%cert
rightsubnet=0.0.0.0/0
leftcert=client
authby=rsasig
keyingtries=%forever
vti-interface=tunisp5
vti-routing=no
mark=0x5/0xff
Host 2:
conn tunisp1
leftid=%fromcert
left=192.168.1.125
leftrsasigkey=%cert
leftsubnet=0.0.0.0/0
rightid=%fromcert
right=54.167.198.105
rightrsasigkey=%cert
rightsubnet=0.0.0.0/0
leftcert=client
vti-interface=tunisp1
vti-routing=no
mark=0x1/0xff
authby=rsasig
keyingtries=%forever
AWS Instance Connections:
This one goes with Host 1.
conn tunisp1
leftid="C=*, ST=*, L=*, O=*, OU=*, CN=d1855a56-72db-4b26-9329-0906f8950697"
left=%any
leftrsasigkey=%cert
leftsubnet=0.0.0.0/0
rightid=%fromcert
right=172.31.51.10
rightrsasigkey=%cert
rightsubnet=0.0.0.0/0
rightcert=server
vti-interface=tunisp1
vti-routing=no
mark=0x1/0xff
authby=rsasig
keyingtries=%forever
This one goes with Host 2.
conn tunisp2
leftid="C=*, ST=*, L=*, O=*, OU=*, CN=fb7a8f76-a93b-429f-bb29-8546122bcc02"
left=%any
leftrsasigkey=%cert
leftsubnet=0.0.0.0/0
rightid=%fromcert
right=172.31.51.10
rightrsasigkey=%cert
rightsubnet=0.0.0.0/0
rightcert=server
vti-interface=tunisp2
vti-routing=no
mark=0x2/0xff
authby=rsasig
keyingtries=%forever
I believe the problem lies within the ip tunnel creation. On the AWS instance, my tunnels look like this:
tunisp1: ip/ip remote any local 172.31.51.10 ttl inherit key 1
tunisp2: ip/ip remote any local 172.31.51.10 ttl inherit key 2
If I change the remote to be their public IP address, it’s still identical. It’s unclear how the decision is made for which one
can pass traffic and which one cannot, but when I delete the tunnel that is passing traffic, the other one becomes able to
pass traffic.
--
cm
> On Jan 31, 2017, at 11:57 AM, Paul Wouters <paul at nohats.ca> wrote:
>
> On Tue, 31 Jan 2017, Craig Marker wrote:
>
>> I’m trying to setup multiple IPSec VTIs between two peers, but I haven’t been able to have both connections up at the
>> same time.
>> I have two linux boxes on my local network that I’m trying to configure to connect to a single AWS instance. The
>> route-based VPN
>> functionality works great when there is only one tunnel present, but fails where there is two. Of note, the
>> negotiation succeeds,
>
> Are you using different mark= values for the different conns, as well as
> a different vti name for the interface?
>
>> however, I’m only able to ping across one of the tunnels.
>
> This might be just related to how you ping. If not specifying ping -I,
> you might just be using the source ip of one of your two tunnels?
>
>> I’ve played around with a handful of configuration options to no avail. ‘vti-shared=yes’ doesn’t give me the
>> functionality I need — I want unique tunnels
>> for each connection.
>
> It should just work.
>
> Paul
More information about the Swan
mailing list