[Swan] Setup multiple IPSec tunnels to remote site with same protected networks
Paul Wouters
paul at nohats.ca
Thu Jul 15 15:28:14 UTC 2021
Add overlapip=yes to both connections and see if that is enough ?
Sent using a virtual keyboard on a phone
> On Jul 15, 2021, at 10:55, Wei Huang <wei.hu.huang at oracle.com> wrote:
>
>
> I tried to set up 2 IPSec tunnels to remote site with same protected networks. Only one tunnel can be fully setup. The other one got the following error message:
> Jul 13 21:58:48.166338: "MPLS_Group_2" #26: cannot route -- route already in use for "MPLS_Group_1"
> Jul 13 21:58:48.166352: "MPLS_Group_2" #26: encountered fatal error in state STATE_PARENT_I2
>
> Is this use case supported in libreswan? If yes, what do I need to do? Iam using Libreswan 3.32.
>
> My side's config:
> conn MPLS_Group_1
> left=10.0.0.6
> leftsubnet=10.0.0.0/16
>
> right=10.104.0.100
> rightsubnet=10.104.0.0/16
>
> authby=secret
> nat-keepalive=yes
> auto=start
> rekey=yes
> ikev2=yes
> ike=aes128-sha2;dh5
> ikelifetime=3600
> dpdtimeout=300
> dpddelay=15
> phase2=esp
> phase2alg=aes_gcm256-null
> pfs=no
> salifetime=86400
>
> conn MPLS_Group_2
> left=10.0.0.6
> leftsubnet=10.0.0.0/16
>
> right=10.104.0.101
> rightsubnet=10.104.0.0/16
>
> authby=secret
> nat-keepalive=yes
> auto=start
> rekey=yes
> ikev2=yes
> ike=aes128-sha2;dh5
> ikelifetime=3600
> dpdtimeout=300
> dpddelay=15
> phase2=esp
> phase2alg=aes_gcm256-null
> pfs=no
> salifetime=86400
>
>
> Remote site is 2 VMs, each has StrongSwan running.
> Config on VM1:
> conn talari
> left=10.104.0.101
> leftid=10.104.0.101
> leftsubnet=10.104.1.0/16
> leftauth=psk
>
> right=10.0.0.6
> rightid=10.0.0.6
> rightsubnet=10.0.0.0/16
> rightauth=psk
> auto=start
> ike=aes128-sha1-modp1536
> esp=aes256gcm16
>
> Config on VM2:
> conn talari
> left=10.104.0.100
> leftid=10.104.0.100
> leftsubnet=10.104.1.0/16
> leftauth=psk
>
> right=10.0.0.6
> rightid=10.0.0.6
> rightsubnet=10.0.0.0/16
> rightauth=psk
> auto=start
> ike=aes128-sha1-modp1536
> esp=aes256gcm16
>
>
> Thanks,
> Wei
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20210715/4a2fcb62/attachment-0001.html>
More information about the Swan
mailing list