[Swan] [External] : Re: Setup multiple IPSec tunnels to remote site with same protected networks
Wei Huang
wei.hu.huang at oracle.com
Thu Jul 15 17:51:03 UTC 2021
Thanks Paul, this works.
Wei
________________________________
From: Paul Wouters <paul at nohats.ca>
Sent: Thursday, July 15, 2021 11:28 AM
To: Wei Huang <wei.hu.huang at oracle.com>
Cc: Swan at lists.libreswan.org <Swan at lists.libreswan.org>
Subject: [External] : Re: [Swan] Setup multiple IPSec tunnels to remote site with same protected networks
Add overlapip=yes to both connections and see if that is enough ?
Sent using a virtual keyboard on a phone
On Jul 15, 2021, at 10:55, Wei Huang <wei.hu.huang at oracle.com> wrote:
I tried to set up 2 IPSec tunnels to remote site with same protected networks. Only one tunnel can be fully setup. The other one got the following error message:
Jul 13 21:58:48.166338: "MPLS_Group_2" #26: cannot route -- route already in use for "MPLS_Group_1"
Jul 13 21:58:48.166352: "MPLS_Group_2" #26: encountered fatal error in state STATE_PARENT_I2
Is this use case supported in libreswan? If yes, what do I need to do? Iam using Libreswan 3.32.
My side's config:
conn MPLS_Group_1
left=10.0.0.6
leftsubnet=10.0.0.0/16
right=10.104.0.100
rightsubnet=10.104.0.0/16
authby=secret
nat-keepalive=yes
auto=start
rekey=yes
ikev2=yes
ike=aes128-sha2;dh5
ikelifetime=3600
dpdtimeout=300
dpddelay=15
phase2=esp
phase2alg=aes_gcm256-null
pfs=no
salifetime=86400
conn MPLS_Group_2
left=10.0.0.6
leftsubnet=10.0.0.0/16
right=10.104.0.101
rightsubnet=10.104.0.0/16
authby=secret
nat-keepalive=yes
auto=start
rekey=yes
ikev2=yes
ike=aes128-sha2;dh5
ikelifetime=3600
dpdtimeout=300
dpddelay=15
phase2=esp
phase2alg=aes_gcm256-null
pfs=no
salifetime=86400
Remote site is 2 VMs, each has StrongSwan running.
Config on VM1:
conn talari
left=10.104.0.101
leftid=10.104.0.101
leftsubnet=10.104.1.0/16
leftauth=psk
right=10.0.0.6
rightid=10.0.0.6
rightsubnet=10.0.0.0/16
rightauth=psk
auto=start
ike=aes128-sha1-modp1536
esp=aes256gcm16
Config on VM2:
conn talari
left=10.104.0.100
leftid=10.104.0.100
leftsubnet=10.104.1.0/16
leftauth=psk
right=10.0.0.6
rightid=10.0.0.6
rightsubnet=10.0.0.0/16
rightauth=psk
auto=start
ike=aes128-sha1-modp1536
esp=aes256gcm16
Thanks,
Wei
_______________________________________________
Swan mailing list
Swan at lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan<https://urldefense.com/v3/__https://lists.libreswan.org/mailman/listinfo/swan__;!!ACWV5N9M2RV99hQ!YJbxVF89GqwmPg4Cn__zc7csJrDKLGJ5liM_m8-2a4H41mHko97ACNzWH_cgtEQC0w$>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20210715/5b5ac2fb/attachment.html>
More information about the Swan
mailing list