[Swan] Looking for backup "rightsubnet" ipsec connection solution
Paul Wouters
paul at nohats.ca
Thu Sep 30 00:54:19 UTC 2021
try adding overlapip=yes to both connections.
(soon this behaviour will be the default, and the option will be
ignored)
Paul
On Wed, 29 Sep 2021, Dave Houser wrote:
> Date: Wed, 29 Sep 2021 14:31:14
> From: Dave Houser <davehouser1 at gmail.com>
> To: swan at lists.libreswan.org
> Subject: [Swan] Looking for backup "rightsubnet" ipsec connection solution
> X-Spam-Flag: NO
>
> libreswan will not allow identical rightsubnet settings to overlap between ipsec configurations.Here is my current topology:
>
> | Juniper VSRX01 | ---------| ens4(vti01) - CentOS libreswan - ens4(vti02) |--------- | Juniper VSRX02 |
>
> Here is my current configuration:
>
> conn to-vsrx-01
> auto=start
> authby=secret
> ike=aes256-sha2_256;dh20
> esp=aes256-sha2_256
> left=2.2.0.2
> leftid=2.2.0.2
> leftsubnet=172.21.0.0/29
> leftupdown=/opt/_updown_vti01
> right=3.3.0.2
> rightsubnet=0.0.0.0/0
> salifetime=300s
>
> conn to-vsrx-02
> auto=start
> authby=secret
> ike=aes256-sha2_256;dh20
> esp=aes256-sha2_256
> left=2.2.0.2
> leftid=2.2.0.2
> leftsubnet=172.22.0.0/29
> leftupdown=/opt/_updown_vti02
> right=3.3.1.2
> rightsubnet=0.0.0.0/0
> salifetime=300s
>
> If you notice I have "rightsubnet=0.0.0.0/0" in both configs. Obviously this will not work. I see the following when trying to turn up to-vsrx-02 after turning up
> to-vsrx-01. As you can see " 003 "to-vsrx-02" #1340: cannot route -- route already in use for "to-vsrx-01"" appears for the to-vsrx-02 connection.
>
> # ipsec auto --up to-vsrx-01
> 181 "to-vsrx-01" #1337: initiating IKEv2 connection
> 181 "to-vsrx-01" #1337: sent IKE_SA_INIT request
> 182 "to-vsrx-01" #1337: sent IKE_AUTH request {cipher=AES_CBC_256 integ=HMAC_SHA2_256_128 prf=HMAC_SHA2_256 group=DH20}
> 003 "to-vsrx-01" #1337: established IKE SA; authenticated using authby=secret and peer ID_IPV4_ADDR '3.3.0.2'
> 002 "to-vsrx-01" #1338: up-client output: net.ipv4.conf.vti01.disable_policy = 1
> 002 "to-vsrx-01" #1338: up-client output: net.ipv4.conf.vti01.rp_filter = 0
> 002 "to-vsrx-01" #1338: up-client output: net.ipv4.conf.vti01.forwarding = 1
> 004 "to-vsrx-01" #1338: established Child SA; IPsec tunnel [172.21.0.0-172.21.0.7:0-65535 0] -> [0.0.0.0-255.255.255.255:0-65535 0] {ESP=>0x94d8850e <0x47c32cc8
> xfrm=AES_CBC_256-HMAC_SHA2_256_128 NATOA=none NATD=none DPD=passive}
>
> # ipsec auto --up to-vsrx-02
> 181 "to-vsrx-02" #1339: initiating IKEv2 connection
> 181 "to-vsrx-02" #1339: sent IKE_SA_INIT request
> 182 "to-vsrx-02" #1339: sent IKE_AUTH request {cipher=AES_CBC_256 integ=HMAC_SHA2_256_128 prf=HMAC_SHA2_256 group=DH20}
> 003 "to-vsrx-02" #1339: established IKE SA; authenticated using authby=secret and peer ID_IPV4_ADDR '3.3.1.2'
> 003 "to-vsrx-02" #1340: cannot route -- route already in use for "to-vsrx-01"
> 003 "to-vsrx-02" #1340: CHILD SA encountered fatal error: INVALID_SYNTAX
> 036 "to-vsrx-02" #1339: encountered fatal error in state STATE_V2_ESTABLISHED_IKE_SA
> 003 "to-vsrx-02" #1340: ERROR: netlink response for Del SA esp.f15072cb at 3.3.1.2 included errno 3: No such process
> 002 "to-vsrx-02" #1339: deleting state (STATE_V2_ESTABLISHED_IKE_SA) aged 0.03894s and NOT sending notification
> 002 "to-vsrx-02" #1339: deleting IKE SA but connection is supposed to remain up; schedule EVENT_REVIVE_CONNS
>
> I want to use to-vsrx-02 as a backup ipsec tunnel. I thought I could set a higher metric for 0.0.0.0/0 in my routing table (which I can) but libreswan refuses to stand
> up the tunnel as to-vsrx-01 has the same entry for rightsubnet.
>
> What options do I have for setting up a backup ipsec tunnel in libreswan?
>
> I read a little bit about "mobike" but its not clear how to use it or apply it to a configuration other than setting "mobike=yes" in my config, or if I need to do
> something special on the far end SA connection. Also documentation says using mobike with a VTI maybe a problem.
>
> Is there any solution out there I can use?
>
> - Dave
>
>
>
More information about the Swan
mailing list