[Swan] Overlapping IP ranges

Paul Wouters paul at nohats.ca
Thu Apr 12 14:09:21 UTC 2018 

On Wed, 11 Apr 2018, Mircea Troaca wrote:

> libreswan + xl2tpd + a freeradius server. The problem occurs when two clients from different networks with the same network (192.168.0.x) try to access the server.
> 
> Client A: 192.168.0.101
>      -> he is the first who connects and it is succesful.
> 
> Client B: 192.168.0.101 (from different network, different location, using a router that gives 192.168.0.x)
>      -> Virtual IP 192.168.0.101/32 overlaps with connection "L2TP-PSK-NAT"[11] xxx.xxx.xxx.xxx (kind=CK_INSTANCE) 'xxx.xxx.xxx.xxx'
>      -> Kernel method 'netkey' does not support overlapping IP ranges

This should work, if you use marking to make each IPsec SA unique.

Try adding this to your connection:

 	overlapip=yes
 	mark=-1/0xffffffff

Paul

> and the tunnel is not established...
> 
> 
> here is my config of ipsec.conf
> 
> config setup
>   virtual-private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.150.0.0/24,%v4:!10.150.1.0/24
>   protostack=netkey
>   plutostderrlog=/var/log/ipsec.log
>   interfaces=%defaultroute
>   uniqueids=no
> 
> include /etc/ipsec.d/l2tp-psk.conf
> 
> 
> and here is the config of l2tp-psk.conf
> 
> conn L2TP-PSK-NAT
>         rightsubnet=vhost:%priv
>         also=L2TP-PSK-noNAT
>     ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024,aes256-sha2_512
>     phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes256-sha2_512
>     sha2-truncbug=yes
> 
> conn L2TP-PSK-noNAT
>         # Use a Preshared Key. Disable Perfect Forward Secrecy.
>         authby=secret
>         pfs=no
>         auto=add
>         keyingtries=3
>         # we cannot rekey for %any, let client rekey
>         rekey=no
>         # Apple iOS doesn't send delete notify so we need dead peer detection
>         # to detect vanishing clients
>         dpddelay=10
>         dpdtimeout=90
>         dpdaction=clear
>         # Set ikelifetime and keylife to same defaults windows has
>         ikelifetime=8h
>         keylife=1h
>         # l2tp-over-ipsec is transport mode
>         type=transport
>         #
>         # left will be filled in automatically with the local address of the default-route interface (as determined at IPsec startup time).
>         left=%defaultroute
>         #
>         # For updated Windows 2000/XP clients,
>         # to support old clients as well, use leftprotoport=17/%any
>         leftprotoport=17/1701
>         #
>         # The remote user.
>         #
>         right=%any
>         # Using the magic port of "%any" means "any one single port". This is
>         # a work around required for Apple OSX clients that use a randomly
>         # high port.
>         rightprotoport=17/%any
> 
> 
> Thank you in advice!
> 
>

More information about the Swan mailing list