[Swan] [External] : Re: Setup multiple IPSec tunnels to remote site with same protected networks

Wei Huang wei.hu.huang at oracle.com
Thu Jul 15 17:51:03 UTC 2021 

Thanks Paul, this works.

Wei
________________________________
From: Paul Wouters <paul at nohats.ca>
Sent: Thursday, July 15, 2021 11:28 AM
To: Wei Huang <wei.hu.huang at oracle.com>
Cc: Swan at lists.libreswan.org <Swan at lists.libreswan.org>
Subject: [External] : Re: [Swan] Setup multiple IPSec tunnels to remote site with same protected networks

Add overlapip=yes to both connections and see if that is enough ?

Sent using a virtual keyboard on a phone

On Jul 15, 2021, at 10:55, Wei Huang <wei.hu.huang at oracle.com> wrote:


I tried to set up 2 IPSec tunnels to remote site with same protected networks. Only one tunnel can be fully setup. The other one got the following error message:
Jul 13 21:58:48.166338: "MPLS_Group_2" #26: cannot route -- route already in use for "MPLS_Group_1"
Jul 13 21:58:48.166352: "MPLS_Group_2" #26: encountered fatal error in state STATE_PARENT_I2

Is this use case supported in libreswan? If yes, what do I need to do? Iam using Libreswan 3.32.

My side's config:
conn MPLS_Group_1
left=10.0.0.6
leftsubnet=10.0.0.0/16

right=10.104.0.100
rightsubnet=10.104.0.0/16

authby=secret
nat-keepalive=yes
auto=start
rekey=yes
ikev2=yes
ike=aes128-sha2;dh5
ikelifetime=3600
dpdtimeout=300
dpddelay=15
phase2=esp
phase2alg=aes_gcm256-null
pfs=no
salifetime=86400

conn MPLS_Group_2
left=10.0.0.6
leftsubnet=10.0.0.0/16

right=10.104.0.101
rightsubnet=10.104.0.0/16

authby=secret
nat-keepalive=yes
auto=start
rekey=yes
ikev2=yes
ike=aes128-sha2;dh5
ikelifetime=3600
dpdtimeout=300
dpddelay=15
phase2=esp
phase2alg=aes_gcm256-null
pfs=no
salifetime=86400


Remote site is 2 VMs, each has StrongSwan running.
Config on VM1:
conn talari
        left=10.104.0.101
        leftid=10.104.0.101
        leftsubnet=10.104.1.0/16
        leftauth=psk

        right=10.0.0.6
        rightid=10.0.0.6
        rightsubnet=10.0.0.0/16
        rightauth=psk
        auto=start
        ike=aes128-sha1-modp1536
        esp=aes256gcm16

Config on VM2:
conn talari
        left=10.104.0.100
        leftid=10.104.0.100
        leftsubnet=10.104.1.0/16
        leftauth=psk

        right=10.0.0.6
        rightid=10.0.0.6
        rightsubnet=10.0.0.0/16
        rightauth=psk
        auto=start
        ike=aes128-sha1-modp1536
        esp=aes256gcm16


Thanks,
Wei
_______________________________________________
Swan mailing list
Swan at lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan<https://urldefense.com/v3/__https://lists.libreswan.org/mailman/listinfo/swan__;!!ACWV5N9M2RV99hQ!YJbxVF89GqwmPg4Cn__zc7csJrDKLGJ5liM_m8-2a4H41mHko97ACNzWH_cgtEQC0w$>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20210715/5b5ac2fb/attachment.html>

More information about the Swan mailing list