[Swan] Libreswan configurguration with alsoflip is not working as expected

Rene Neumann rene.neumann at zpesystems.com
Thu Apr 25 08:42:39 UTC 2019 

Hello,

I’m currently trying to get libreswan to work with multiple conn sections which I reference with also and alsoflip.
The current layout is:

Connection file - References a ike template file with also
Gateway file left – References a conn which has all the details for the left site using “also”
Gateway file right – References a conn which has all the details for the right site using “alsoflip”

The gateway file use for all their settings the left options.
When I load the connection, it gets loaded but it does not detect the right-hand values, instead it put the right-hand values to %any%. When I manually change the values in the right gateway to “right” and include it with also then it works as expected, but this way I have to keep track where which gateway is used on which site. I thought alsoflip would take care of this. I’m I doing something wrong?

Below are some examples
Connection:

conn test
      auto=add
      authby=secret
      also=nodegrid
      also=DC2
      alsoflip=DC1

Gateways
conn DC2
      leftid=@DC2
      left=192.168.10.73
      leftsourceip=192.168.160.10
      leftsubnet=192.168.160.10/24

conn DC1
      leftid=@DC1
      left=192.168.1.1
      leftsourceip=192.168.2.1
      leftsubnet=192.168.2.1/24

ipsec status after the connection was added
000 "test": 192.168.160.0/24===192.168.10.73<192.168.10.73>[@DC2]...%any; unrouted; eroute owner: #0
000 "test":     oriented; my_ip=192.168.160.10; their_ip=unset
000 "test":   xauth us:none, xauth them:none,  my_username=[any]; their_username=[any]
000 "test":   our auth:secret, their auth:secret
000 "test":   modecfg info: us:none, them:none, modecfg policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset, cat:unset;
000 "test":   labeled_ipsec:no;
000 "test":   policy_label:unset;
000 "test":   ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;
000 "test":   retransmit-interval: 500ms; retransmit-timeout: 60s;
000 "test":   sha2-truncbug:no; initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "test":   policy: PSK+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;
000 "test":   conn_prio: 24,0; interface: eth1; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "test":   nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no;
000 "test":   newest ISAKMP SA: #0; newest IPsec SA: #0;
Thank you for your help
Rene

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20190425/4d791a5e/attachment.html>

More information about the Swan mailing list