[Swan] XFRMi Interface route based IPSec with right=%any

Paul Wouters paul at nohats.ca
Tue Apr 28 22:34:20 UTC 2020

On Tue, 28 Apr 2020, Rav Ya wrote:

> Question: With this configuration, my the first tunnel comes up successfully but my second tunnel
> fails with “route already in use” error?

That is a bug. Can you try adding overlapip=yes to all connections ?

> Given that I have two different XRFMi interfaces shouldn’t we allow route ( ->
> subnets) for individual XFRMi to run iBGP? What am I missing? Any recommendations please?

It is because the legacy KLIPS stick did not support overlapping IPsec
connections. We are about to rip out KLIPS, but got delayed by a few
releases, so it is still in the last release (although it has been
ripped out in git master).


More information about the Swan mailing list