[Swan] Version 3.30 XFRM implementation

Paul Overton Paul at trustedcyber.co.uk
Thu Feb 20 09:08:27 UTC 2020

I have a number of actual tunnels, all routed point to point, when using just one shared XFRM interface (ipsec1) all work as predicted. My tunnels are a mixture of ipv4 and ipv6. So in terms of emulating the old KLIPS it works just fine. 

So I tried to add more interfaces , ipsec2, ipsec3 etc. I noticed that only the first two of my configurations created an interface, the others correctly negotiated IKE  correctly (in the logs) and indeed using the ipsec auto --up <tunnel name>  also suggested that the tunnels were being created, but no ipsecX interface after the first two, and no traffic either. 

I will dig up some logs later today and send them on. 

Thanks in advance. 


-----Original Message-----
From: Antony Antony [mailto:antony at phenome.org] 
Sent: 20 February 2020 08:37
To: Paul Overton <Paul at trustedcyber.co.uk>
Cc: Paul Wouters <paul at nohats.ca>; Swan at lists.libreswan.org
Subject: Re: [Swan] Version 3.30 XFRM implementation

On Wed, Feb 19, 2020 at 11:10:49AM +0000, Paul Overton wrote:
> Thanks Paul,
> Some progress, it seems that the iface-ip= directive is causing the 
> failure to start, if I don't include this directive, and only use  ipsec-interface=yes An interface ipsec1 is created and the tunnels are created, but the interface does not have a local IP address. I can add this after though.
> This is the error I get when including the iface-ip= statement:
> cannot load config '/etc/ipsec.conf': 
> /etc/ipsec.d/connections.conf:26: syntax error, unexpected STRING 
> [iface-ip]

I hope to work on  left|rightinterface-ip= soon.

> I have tried adding a number of ipsec interfaces, it would appear the 2 per external interface is the limit. 

can you share details of what happens when there more than two tunnels?
configuration or debug logs would help us understand what is going on.

Simple case of multiple tunnel, test case with 4 tunnels, through same external interface seems to work.

If you have a /32-to-/32 tunnel without NAT, the responder with ipsec-interface may not work yet. I just noticed an issue yesterday and I am still investigating it how to make it work. It seems the responder setup the interface and send the IKE auth response through the tunnel. So the initiator never establishes tunnel.

More information about the Swan mailing list