[Swan] Fwd: Overlapping IP ranges

Paul Wouters paul at nohats.ca
Thu Apr 12 16:05:02 UTC 2018


On Thu, 12 Apr 2018, Mircea Troaca wrote:

Try the attached patch.

Paul

> Date: Thu, 12 Apr 2018 12:00:48
> From: Mircea Troaca <mircea.troaca at net.ase.ro>
> To: swan at lists.libreswan.org
> Subject: [Swan] Fwd:  Overlapping IP ranges
> 
> 
> ---------- Forwarded message ----------
> From: Mircea Troaca <mircea.troaca at net.ase.ro>
> Date: 2018-04-12 18:56 GMT+03:00
> Subject: Re: [Swan] Overlapping IP ranges
> To: Paul Wouters <paul at nohats.ca>
> 
> 
> I tried with overlapip=yes, when I add that to my connection, clients can connect well, but the same error, overlaps with connection bla bla bla..After I added mark= -1/0xffffffff,
> clients can't connect anymore..
> 
> 2018-04-12 17:09 GMT+03:00 Paul Wouters <paul at nohats.ca>:
>       On Wed, 11 Apr 2018, Mircea Troaca wrote:
>
>             libreswan + xl2tpd + a freeradius server. The problem occurs when two clients from different networks with the same network (192.168.0.x) try to access the
>             server.
>
>             Client A: 192.168.0.101
>                  -> he is the first who connects and it is succesful.
>
>             Client B: 192.168.0.101 (from different network, different location, using a router that gives 192.168.0.x)
>                  -> Virtual IP 192.168.0.101/32 overlaps with connection "L2TP-PSK-NAT"[11] xxx.xxx.xxx.xxx (kind=CK_INSTANCE) 'xxx.xxx.xxx.xxx'
>                  -> Kernel method 'netkey' does not support overlapping IP ranges
> 
>
>       This should work, if you use marking to make each IPsec SA unique.
>
>       Try adding this to your connection:
>
>               overlapip=yes
>               mark=-1/0xffffffff
>
>       Paul
>
>             and the tunnel is not established...
> 
>
>             here is my config of ipsec.conf
>
>             config setup
>               virtual-private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.150.0.0/24,%v4:!10.150.1.0/24
>               protostack=netkey
>               plutostderrlog=/var/log/ipsec.log
>               interfaces=%defaultroute
>               uniqueids=no
>
>             include /etc/ipsec.d/l2tp-psk.conf
> 
>
>             and here is the config of l2tp-psk.conf
>
>             conn L2TP-PSK-NAT
>                     rightsubnet=vhost:%priv
>                     also=L2TP-PSK-noNAT
>                 ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024,aes256-sha2_512
>                 phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes256-sha2_512
>                 sha2-truncbug=yes
>
>             conn L2TP-PSK-noNAT
>                     # Use a Preshared Key. Disable Perfect Forward Secrecy.
>                     authby=secret
>                     pfs=no
>                     auto=add
>                     keyingtries=3
>                     # we cannot rekey for %any, let client rekey
>                     rekey=no
>                     # Apple iOS doesn't send delete notify so we need dead peer detection
>                     # to detect vanishing clients
>                     dpddelay=10
>                     dpdtimeout=90
>                     dpdaction=clear
>                     # Set ikelifetime and keylife to same defaults windows has
>                     ikelifetime=8h
>                     keylife=1h
>                     # l2tp-over-ipsec is transport mode
>                     type=transport
>                     #
>                     # left will be filled in automatically with the local address of the default-route interface (as determined at IPsec startup time).
>                     left=%defaultroute
>                     #
>                     # For updated Windows 2000/XP clients,
>                     # to support old clients as well, use leftprotoport=17/%any
>                     leftprotoport=17/1701
>                     #
>                     # The remote user.
>                     #
>                     right=%any
>                     # Using the magic port of "%any" means "any one single port". This is
>                     # a work around required for Apple OSX clients that use a randomly
>                     # high port.
>                     rightprotoport=17/%any
> 
>
>             Thank you in advice!
> 
> 
> 
> 
> 
>
-------------- next part --------------
diff --git a/programs/pluto/kernel_netlink.c b/programs/pluto/kernel_netlink.c
index 8e1ff2799..7d44e1516 100644
--- a/programs/pluto/kernel_netlink.c
+++ b/programs/pluto/kernel_netlink.c
@@ -2992,7 +2992,7 @@ const struct kernel_ops netkey_kernel_ops = {
 	 * if netlink  specific changes are needed.
 	 */
 	.remove_orphaned_holds = NULL, /* only used for klips /proc scanner */
-	.overlap_supported = FALSE,
+	.overlap_supported = TRUE,
 	.sha2_truncbug_support = TRUE,
 	.v6holes = netlink_v6holes,
 };


More information about the Swan mailing list