[Swan] Setup multiple IPSec tunnels to remote site with same protected networks

Paul Wouters paul at nohats.ca
Thu Jul 15 15:28:14 UTC 2021 

Add overlapip=yes to both connections and see if that is enough ?

Sent using a virtual keyboard on a phone

> On Jul 15, 2021, at 10:55, Wei Huang <wei.hu.huang at oracle.com> wrote:
> 
> 
> I tried to set up 2 IPSec tunnels to remote site with same protected networks. Only one tunnel can be fully setup. The other one got the following error message:
> Jul 13 21:58:48.166338: "MPLS_Group_2" #26: cannot route -- route already in use for "MPLS_Group_1"
> Jul 13 21:58:48.166352: "MPLS_Group_2" #26: encountered fatal error in state STATE_PARENT_I2
> 
> Is this use case supported in libreswan? If yes, what do I need to do? Iam using Libreswan 3.32.
> 
> My side's config:
> conn MPLS_Group_1
> left=10.0.0.6
> leftsubnet=10.0.0.0/16
> 
> right=10.104.0.100
> rightsubnet=10.104.0.0/16
> 
> authby=secret
> nat-keepalive=yes
> auto=start
> rekey=yes
> ikev2=yes
> ike=aes128-sha2;dh5
> ikelifetime=3600
> dpdtimeout=300
> dpddelay=15
> phase2=esp
> phase2alg=aes_gcm256-null
> pfs=no
> salifetime=86400
> 
> conn MPLS_Group_2
> left=10.0.0.6
> leftsubnet=10.0.0.0/16
> 
> right=10.104.0.101
> rightsubnet=10.104.0.0/16
> 
> authby=secret
> nat-keepalive=yes
> auto=start
> rekey=yes
> ikev2=yes
> ike=aes128-sha2;dh5
> ikelifetime=3600
> dpdtimeout=300
> dpddelay=15
> phase2=esp
> phase2alg=aes_gcm256-null
> pfs=no
> salifetime=86400
> 
> 
> Remote site is 2 VMs, each has StrongSwan running. 
> Config on VM1:
> conn talari
>         left=10.104.0.101
>         leftid=10.104.0.101
>         leftsubnet=10.104.1.0/16
>         leftauth=psk
> 
>         right=10.0.0.6
>         rightid=10.0.0.6
>         rightsubnet=10.0.0.0/16
>         rightauth=psk
>         auto=start
>         ike=aes128-sha1-modp1536
>         esp=aes256gcm16
> 
> Config on VM2:
> conn talari
>         left=10.104.0.100
>         leftid=10.104.0.100
>         leftsubnet=10.104.1.0/16
>         leftauth=psk
> 
>         right=10.0.0.6
>         rightid=10.0.0.6
>         rightsubnet=10.0.0.0/16
>         rightauth=psk
>         auto=start
>         ike=aes128-sha1-modp1536
>         esp=aes256gcm16
> 
> 
> Thanks,
> Wei
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20210715/4a2fcb62/attachment-0001.html>

More information about the Swan mailing list