[Swan] Setup multiple IPSec tunnels to remote site with same protected networks

Wei Huang wei.hu.huang at oracle.com
Thu Jul 15 13:29:48 UTC 2021


I tried to set up 2 IPSec tunnels to remote site with same protected networks. Only one tunnel can be fully setup. The other one got the following error message:
Jul 13 21:58:48.166338: "MPLS_Group_2" #26: cannot route -- route already in use for "MPLS_Group_1"
Jul 13 21:58:48.166352: "MPLS_Group_2" #26: encountered fatal error in state STATE_PARENT_I2

Is this use case supported in libreswan? If yes, what do I need to do? Iam using Libreswan 3.32.

My side's config:
conn MPLS_Group_1
left=10.0.0.6
leftsubnet=10.0.0.0/16

right=10.104.0.100
rightsubnet=10.104.0.0/16

authby=secret
nat-keepalive=yes
auto=start
rekey=yes
ikev2=yes
ike=aes128-sha2;dh5
ikelifetime=3600
dpdtimeout=300
dpddelay=15
phase2=esp
phase2alg=aes_gcm256-null
pfs=no
salifetime=86400

conn MPLS_Group_2
left=10.0.0.6
leftsubnet=10.0.0.0/16

right=10.104.0.101
rightsubnet=10.104.0.0/16

authby=secret
nat-keepalive=yes
auto=start
rekey=yes
ikev2=yes
ike=aes128-sha2;dh5
ikelifetime=3600
dpdtimeout=300
dpddelay=15
phase2=esp
phase2alg=aes_gcm256-null
pfs=no
salifetime=86400


Remote site is 2 VMs, each has StrongSwan running.
Config on VM1:
conn talari
        left=10.104.0.101
        leftid=10.104.0.101
        leftsubnet=10.104.1.0/16
        leftauth=psk

        right=10.0.0.6
        rightid=10.0.0.6
        rightsubnet=10.0.0.0/16
        rightauth=psk
        auto=start
        ike=aes128-sha1-modp1536
        esp=aes256gcm16

Config on VM2:
conn talari
        left=10.104.0.100
        leftid=10.104.0.100
        leftsubnet=10.104.1.0/16
        leftauth=psk

        right=10.0.0.6
        rightid=10.0.0.6
        rightsubnet=10.0.0.0/16
        rightauth=psk
        auto=start
        ike=aes128-sha1-modp1536
        esp=aes256gcm16


Thanks,
Wei
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20210715/cec09b06/attachment.html>


More information about the Swan mailing list