[Swan] Libreswan configurguration with alsoflip is not working as expected
Rene Neumann
rene.neumann at zpesystems.com
Thu Apr 25 08:42:39 UTC 2019
Hello,
I’m currently trying to get libreswan to work with multiple conn sections which I reference with also and alsoflip.
The current layout is:
Connection file - References a ike template file with also
Gateway file left – References a conn which has all the details for the left site using “also”
Gateway file right – References a conn which has all the details for the right site using “alsoflip”
The gateway file use for all their settings the left options.
When I load the connection, it gets loaded but it does not detect the right-hand values, instead it put the right-hand values to %any%. When I manually change the values in the right gateway to “right” and include it with also then it works as expected, but this way I have to keep track where which gateway is used on which site. I thought alsoflip would take care of this. I’m I doing something wrong?
Below are some examples
Connection:
conn test
auto=add
authby=secret
also=nodegrid
also=DC2
alsoflip=DC1
Gateways
conn DC2
leftid=@DC2
left=192.168.10.73
leftsourceip=192.168.160.10
leftsubnet=192.168.160.10/24
conn DC1
leftid=@DC1
left=192.168.1.1
leftsourceip=192.168.2.1
leftsubnet=192.168.2.1/24
ipsec status after the connection was added
000 "test": 192.168.160.0/24===192.168.10.73<192.168.10.73>[@DC2]...%any; unrouted; eroute owner: #0
000 "test": oriented; my_ip=192.168.160.10; their_ip=unset
000 "test": xauth us:none, xauth them:none, my_username=[any]; their_username=[any]
000 "test": our auth:secret, their auth:secret
000 "test": modecfg info: us:none, them:none, modecfg policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset, cat:unset;
000 "test": labeled_ipsec:no;
000 "test": policy_label:unset;
000 "test": ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;
000 "test": retransmit-interval: 500ms; retransmit-timeout: 60s;
000 "test": sha2-truncbug:no; initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "test": policy: PSK+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;
000 "test": conn_prio: 24,0; interface: eth1; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "test": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no;
000 "test": newest ISAKMP SA: #0; newest IPsec SA: #0;
Thank you for your help
Rene
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20190425/4d791a5e/attachment.html>
More information about the Swan
mailing list