[Swan] Overlapping IP ranges
Mircea Troaca
mircea.troaca at net.ase.ro
Wed Apr 11 12:33:24 UTC 2018
Hello guys,
I am new to libreswan and I am trying to make a vpn server for production.
Everything is working like a charm on a Debian 9 (kernel 4.9.0). Users
connect to the vpn server via ipsec by libreswan + xl2tpd + a freeradius
server. The problem occurs when two clients from different networks with
the same network (192.168.0.x) try to access the server.
Client A: 192.168.0.101
-> he is the first who connects and it is succesful.
Client B: 192.168.0.101 (from different network, different location, using
a router that gives 192.168.0.x)
-> Virtual IP 192.168.0.101/32 overlaps with connection
"L2TP-PSK-NAT"[11] xxx.xxx.xxx.xxx (kind=CK_INSTANCE) 'xxx.xxx.xxx.xxx'
-> Kernel method 'netkey' does not support overlapping IP ranges
and the tunnel is not established...
here is my config of ipsec.conf
config setup
virtual-private=%v4:
10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.150.0.0/24,%v4:!10.150.1.0/24
protostack=netkey
plutostderrlog=/var/log/ipsec.log
interfaces=%defaultroute
uniqueids=no
include /etc/ipsec.d/l2tp-psk.conf
and here is the config of l2tp-psk.conf
conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT
ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024,aes256-sha2_512
phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes256-sha2_512
sha2-truncbug=yes
conn L2TP-PSK-noNAT
# Use a Preshared Key. Disable Perfect Forward Secrecy.
authby=secret
pfs=no
auto=add
keyingtries=3
# we cannot rekey for %any, let client rekey
rekey=no
# Apple iOS doesn't send delete notify so we need dead peer
detection
# to detect vanishing clients
dpddelay=10
dpdtimeout=90
dpdaction=clear
# Set ikelifetime and keylife to same defaults windows has
ikelifetime=8h
keylife=1h
# l2tp-over-ipsec is transport mode
type=transport
#
# left will be filled in automatically with the local address of
the default-route interface (as determined at IPsec startup time).
left=%defaultroute
#
# For updated Windows 2000/XP clients,
# to support old clients as well, use leftprotoport=17/%any
leftprotoport=17/1701
#
# The remote user.
#
right=%any
# Using the magic port of "%any" means "any one single port". This
is
# a work around required for Apple OSX clients that use a randomly
# high port.
rightprotoport=17/%any
Thank you in advice!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20180411/571f2975/attachment.html>
More information about the Swan
mailing list