[Swan] Fwd: Overlapping IP ranges
Mircea Troaca
mircea.troaca at net.ase.ro
Thu Apr 12 16:46:36 UTC 2018
Excuse my "stupidity".. but, how? :D
I am running on a debian 9 server
2018-04-12 19:05 GMT+03:00 Paul Wouters <paul at nohats.ca>:
> On Thu, 12 Apr 2018, Mircea Troaca wrote:
>
> Try the attached patch.
>
> Paul
>
> Date: Thu, 12 Apr 2018 12:00:48
>> From: Mircea Troaca <mircea.troaca at net.ase.ro>
>> To: swan at lists.libreswan.org
>> Subject: [Swan] Fwd: Overlapping IP ranges
>>
>>
>> ---------- Forwarded message ----------
>> From: Mircea Troaca <mircea.troaca at net.ase.ro>
>> Date: 2018-04-12 18:56 GMT+03:00
>> Subject: Re: [Swan] Overlapping IP ranges
>> To: Paul Wouters <paul at nohats.ca>
>>
>>
>> I tried with overlapip=yes, when I add that to my connection, clients can
>> connect well, but the same error, overlaps with connection bla bla
>> bla..After I added mark= -1/0xffffffff,
>>
>> clients can't connect anymore..
>>
>> 2018-04-12 17:09 GMT+03:00 Paul Wouters <paul at nohats.ca>:
>> On Wed, 11 Apr 2018, Mircea Troaca wrote:
>>
>> libreswan + xl2tpd + a freeradius server. The problem occurs
>> when two clients from different networks with the same network
>> (192.168.0.x) try to access the
>> server.
>>
>> Client A: 192.168.0.101
>> -> he is the first who connects and it is succesful.
>>
>> Client B: 192.168.0.101 (from different network, different
>> location, using a router that gives 192.168.0.x)
>> -> Virtual IP 192.168.0.101/32 overlaps with connection
>> "L2TP-PSK-NAT"[11] xxx.xxx.xxx.xxx (kind=CK_INSTANCE) 'xxx.xxx.xxx.xxx'
>> -> Kernel method 'netkey' does not support overlapping
>> IP ranges
>>
>>
>> This should work, if you use marking to make each IPsec SA unique.
>>
>> Try adding this to your connection:
>>
>> overlapip=yes
>> mark=-1/0xffffffff
>>
>> Paul
>>
>> and the tunnel is not established...
>>
>>
>> here is my config of ipsec.conf
>>
>> config setup
>> virtual-private=%v4:10.0.0.0/8
>> ,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.150.0.0/24,%v4
>> :!10.150.1.0/24
>> protostack=netkey
>> plutostderrlog=/var/log/ipsec.log
>> interfaces=%defaultroute
>> uniqueids=no
>>
>> include /etc/ipsec.d/l2tp-psk.conf
>>
>>
>> and here is the config of l2tp-psk.conf
>>
>> conn L2TP-PSK-NAT
>> rightsubnet=vhost:%priv
>> also=L2TP-PSK-noNAT
>> ike=3des-sha1,3des-sha2,aes-sh
>> a1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024,aes256-sha2_512
>> phase2alg=3des-sha1,3des-sha2,
>> aes-sha1,aes-sha2,aes256-sha2_512
>> sha2-truncbug=yes
>>
>> conn L2TP-PSK-noNAT
>> # Use a Preshared Key. Disable Perfect Forward
>> Secrecy.
>> authby=secret
>> pfs=no
>> auto=add
>> keyingtries=3
>> # we cannot rekey for %any, let client rekey
>> rekey=no
>> # Apple iOS doesn't send delete notify so we need
>> dead peer detection
>> # to detect vanishing clients
>> dpddelay=10
>> dpdtimeout=90
>> dpdaction=clear
>> # Set ikelifetime and keylife to same defaults
>> windows has
>> ikelifetime=8h
>> keylife=1h
>> # l2tp-over-ipsec is transport mode
>> type=transport
>> #
>> # left will be filled in automatically with the local
>> address of the default-route interface (as determined at IPsec startup
>> time).
>> left=%defaultroute
>> #
>> # For updated Windows 2000/XP clients,
>> # to support old clients as well, use
>> leftprotoport=17/%any
>> leftprotoport=17/1701
>> #
>> # The remote user.
>> #
>> right=%any
>> # Using the magic port of "%any" means "any one
>> single port". This is
>> # a work around required for Apple OSX clients that
>> use a randomly
>> # high port.
>> rightprotoport=17/%any
>>
>>
>> Thank you in advice!
>>
>>
>>
>>
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20180412/bf569e22/attachment-0001.html>
More information about the Swan
mailing list