[Swan] XFRMi Interface route based IPSec with right=%any
paul at nohats.ca
Tue Apr 28 22:34:20 UTC 2020
On Tue, 28 Apr 2020, Rav Ya wrote:
> Question: With this configuration, my the first tunnel comes up successfully but my second tunnel
> fails with “route already in use” error?
That is a bug. Can you try adding overlapip=yes to all connections ?
> Given that I have two different XRFMi interfaces shouldn’t we allow route (0.0.0.0/0 -> 0.0.0.0/0
> subnets) for individual XFRMi to run iBGP? What am I missing? Any recommendations please?
It is because the legacy KLIPS stick did not support overlapping IPsec
connections. We are about to rip out KLIPS, but got delayed by a few
releases, so it is still in the last release (although it has been
ripped out in git master).
More information about the Swan