[Swan] IKEv2 with multiple conn entries
Paul Wouters
paul at nohats.ca
Tue May 22 16:40:20 UTC 2018
On Tue, 15 May 2018, Bobby Jones wrote:
> I have been beating my head against this for awhile, and I'm hoping that someone can point me in the right direction.
>
> I have a number of IPSec tunnels established, mostly from libreswan to Cisco ASAs. Most are IKE v1, and in that case if I
> want to reach multiple hosts on the remote side I can have a formulation like this in my .conf file:
>
> conn test1
> rightsubnet=192.168.1.111/255.255.255.255
> rightsourceip=192.168.1.111
> also=test_common
> auto=start
> conn test2
> rightsubnet=192.168.1.112/255.255.255.255
> rightsourceip=192.168.1.112
> also=test_common
> auto=start
>
> However, if I use this syntax with IKEv2, I can start test1 and reach 192.168.1.111, but test2 will then not complete.
That should work. Can you provide more logs to see what is happening?
> This formulation gets me up to the point where I see "STATE_PARENT_I2: sent v2I2, expected v2R2" but then all I get is
> "STATE_PARENT_I2: retransmission".
Odd, you should always recent an answer to I2. Especially since you got
an answer to I1, so it shows no firewall is in the way.
Paul
More information about the Swan
mailing list