[Swan] Looking for backup "rightsubnet" ipsec connection solution

Dave Houser davehouser1 at gmail.com
Wed Sep 29 18:31:14 UTC 2021 

libreswan will not allow identical rightsubnet settings to overlap between
ipsec configurations.Here is my current topology:

| Juniper VSRX01 | ---------| ens4(vti01) - CentOS libreswan - ens4(vti02)
|--------- | Juniper VSRX02 |

Here is my current configuration:

conn to-vsrx-01
    auto=start
    authby=secret
    ike=aes256-sha2_256;dh20
    esp=aes256-sha2_256
    left=2.2.0.2
    leftid=2.2.0.2
    leftsubnet=172.21.0.0/29
    leftupdown=/opt/_updown_vti01
    right=3.3.0.2
    rightsubnet=0.0.0.0/0
    salifetime=300s

conn to-vsrx-02
    auto=start
    authby=secret
    ike=aes256-sha2_256;dh20
    esp=aes256-sha2_256
    left=2.2.0.2
    leftid=2.2.0.2
    leftsubnet=172.22.0.0/29
    leftupdown=/opt/_updown_vti02
    right=3.3.1.2
    rightsubnet=0.0.0.0/0
    salifetime=300s

If you notice I have "rightsubnet=0.0.0.0/0" in both configs. Obviously
this will not work. I see the following when trying to turn up to-vsrx-02
after turning up to-vsrx-01. As you can see " 003 "to-vsrx-02" #1340:
cannot route -- route already in use for "to-vsrx-01"" appears for the
to-vsrx-02 connection.

# ipsec auto --up to-vsrx-01
181 "to-vsrx-01" #1337: initiating IKEv2 connection
181 "to-vsrx-01" #1337: sent IKE_SA_INIT request
182 "to-vsrx-01" #1337: sent IKE_AUTH request {cipher=AES_CBC_256
integ=HMAC_SHA2_256_128 prf=HMAC_SHA2_256 group=DH20}
003 "to-vsrx-01" #1337: established IKE SA; authenticated using
authby=secret and peer ID_IPV4_ADDR '3.3.0.2'
002 "to-vsrx-01" #1338: up-client output:
net.ipv4.conf.vti01.disable_policy = 1
002 "to-vsrx-01" #1338: up-client output: net.ipv4.conf.vti01.rp_filter = 0
002 "to-vsrx-01" #1338: up-client output: net.ipv4.conf.vti01.forwarding = 1
004 "to-vsrx-01" #1338: established Child SA; IPsec tunnel
[172.21.0.0-172.21.0.7:0-65535 0] -> [0.0.0.0-255.255.255.255:0-65535 0]
{ESP=>0x94d8850e <0x47c32cc8 xfrm=AES_CBC_256-HMAC_SHA2_256_128 NATOA=none
NATD=none DPD=passive}

# ipsec auto --up to-vsrx-02
181 "to-vsrx-02" #1339: initiating IKEv2 connection
181 "to-vsrx-02" #1339: sent IKE_SA_INIT request
182 "to-vsrx-02" #1339: sent IKE_AUTH request {cipher=AES_CBC_256
integ=HMAC_SHA2_256_128 prf=HMAC_SHA2_256 group=DH20}
003 "to-vsrx-02" #1339: established IKE SA; authenticated using
authby=secret and peer ID_IPV4_ADDR '3.3.1.2'
*003 "to-vsrx-02" #1340: cannot route -- route already in use for
"to-vsrx-01"*
003 "to-vsrx-02" #1340: CHILD SA encountered fatal error: INVALID_SYNTAX
036 "to-vsrx-02" #1339: encountered fatal error in state
STATE_V2_ESTABLISHED_IKE_SA
003 "to-vsrx-02" #1340: ERROR: netlink response for Del SA
esp.f15072cb at 3.3.1.2 included errno 3: No such process
002 "to-vsrx-02" #1339: deleting state (STATE_V2_ESTABLISHED_IKE_SA) aged
0.03894s and NOT sending notification
002 "to-vsrx-02" #1339: deleting IKE SA but connection is supposed to
remain up; schedule EVENT_REVIVE_CONNS

I want to use to-vsrx-02 as a backup ipsec tunnel. I thought I could set a
higher metric for 0.0.0.0/0 in my routing table (which I can) but libreswan
refuses to stand up the tunnel as to-vsrx-01 has the same entry for
rightsubnet.

What options do I have for setting up a backup ipsec tunnel in libreswan?

I read a little bit about "mobike" but its not clear how to use it or apply
it to a configuration other than setting "mobike=yes" in my config, or if I
need to do something special on the far end SA connection. Also
documentation says using mobike with a VTI maybe a problem.

Is there any solution out there I can use?

- Dave
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20210929/f895784f/attachment-0001.html>

More information about the Swan mailing list