[Swan] not able to establish tunnel with multiple subnets and IKEv2
Paul Wouters
paul at nohats.ca
Wed Jun 5 13:01:54 UTC 2019
On Wed, 5 Jun 2019, optimas primat wrote:
> I am trying to create site-to-site IPsec VPN with two subnets on each
> site using libreswan on linux gateways.
> conn siteA_ipsec
> left=172.16.99.11
> leftsourceip=172.16.99.11
> right=%any
> leftsubnets={172.16.55.0/24,172.16.56.0/24}
> rightsubnets={172.16.66.0/24,172.16.67.0/24}
> auto=add
> conn siteB_ipsec
> left=172.16.88.88
> leftsourceip=172.16.88.88
> right=172.16.99.11
> leftsubnets={172.16.66.0/24,172.16.67.0/24}
> rightsubnets={172.16.55.0/24,172.16.56.0/24}
> auto=start
You should not use leftsourceip= when using multiple leftsubnets
> I get TS_UNACCEPTABLE error in pluto logs and tunnel gets established
> for only one subnet pair. When I change right=%any to
> right=172.16.88.88 in Site A's config, tunnel gets established
> successfully for all subnet pairs. As per requirement, I don't want to
> specify Site B's IP address at Site A, as it will be dynamic. Hence I
> used right=%any initially. But same config works with IKEv1.
Can you try without the sourceip= lines? If you still see an issue can
you then show some logs about what/why it is failing?
Paul
More information about the Swan
mailing list