[Swan] Fwd: Overlapping IP ranges

Mircea Troaca mircea.troaca at net.ase.ro
Thu Apr 12 16:00:48 UTC 2018


---------- Forwarded message ----------
From: Mircea Troaca <mircea.troaca at net.ase.ro>
Date: 2018-04-12 18:56 GMT+03:00
Subject: Re: [Swan] Overlapping IP ranges
To: Paul Wouters <paul at nohats.ca>


I tried with overlapip=yes, when I add that to my connection, clients can
connect well, but the same error, overlaps with connection bla bla bla..
After I added mark= -1/0xffffffff, clients can't connect anymore..

2018-04-12 17:09 GMT+03:00 Paul Wouters <paul at nohats.ca>:

> On Wed, 11 Apr 2018, Mircea Troaca wrote:
>
> libreswan + xl2tpd + a freeradius server. The problem occurs when two
>> clients from different networks with the same network (192.168.0.x) try to
>> access the server.
>>
>> Client A: 192.168.0.101
>>      -> he is the first who connects and it is succesful.
>>
>> Client B: 192.168.0.101 (from different network, different location,
>> using a router that gives 192.168.0.x)
>>      -> Virtual IP 192.168.0.101/32 overlaps with connection
>> "L2TP-PSK-NAT"[11] xxx.xxx.xxx.xxx (kind=CK_INSTANCE) 'xxx.xxx.xxx.xxx'
>>      -> Kernel method 'netkey' does not support overlapping IP ranges
>>
>
> This should work, if you use marking to make each IPsec SA unique.
>
> Try adding this to your connection:
>
>         overlapip=yes
>         mark=-1/0xffffffff
>
> Paul
>
>
> and the tunnel is not established...
>>
>>
>> here is my config of ipsec.conf
>>
>> config setup
>>   virtual-private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16
>> .0.0/12,%v4:!10.150.0.0/24,%v4:!10.150.1.0/24
>>   protostack=netkey
>>   plutostderrlog=/var/log/ipsec.log
>>   interfaces=%defaultroute
>>   uniqueids=no
>>
>> include /etc/ipsec.d/l2tp-psk.conf
>>
>>
>> and here is the config of l2tp-psk.conf
>>
>> conn L2TP-PSK-NAT
>>         rightsubnet=vhost:%priv
>>         also=L2TP-PSK-noNAT
>>     ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,
>> aes-sha2;modp1024,aes256-sha2_512
>>     phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes256-sha2_512
>>     sha2-truncbug=yes
>>
>> conn L2TP-PSK-noNAT
>>         # Use a Preshared Key. Disable Perfect Forward Secrecy.
>>         authby=secret
>>         pfs=no
>>         auto=add
>>         keyingtries=3
>>         # we cannot rekey for %any, let client rekey
>>         rekey=no
>>         # Apple iOS doesn't send delete notify so we need dead peer
>> detection
>>         # to detect vanishing clients
>>         dpddelay=10
>>         dpdtimeout=90
>>         dpdaction=clear
>>         # Set ikelifetime and keylife to same defaults windows has
>>         ikelifetime=8h
>>         keylife=1h
>>         # l2tp-over-ipsec is transport mode
>>         type=transport
>>         #
>>         # left will be filled in automatically with the local address of
>> the default-route interface (as determined at IPsec startup time).
>>         left=%defaultroute
>>         #
>>         # For updated Windows 2000/XP clients,
>>         # to support old clients as well, use leftprotoport=17/%any
>>         leftprotoport=17/1701
>>         #
>>         # The remote user.
>>         #
>>         right=%any
>>         # Using the magic port of "%any" means "any one single port".
>> This is
>>         # a work around required for Apple OSX clients that use a randomly
>>         # high port.
>>         rightprotoport=17/%any
>>
>>
>> Thank you in advice!
>>
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20180412/19339e5b/attachment.html>


More information about the Swan mailing list