[Swan] Question on opportunistic ipsec for multiple interfaces on same subnet

Mamta Gambhir mamta.gambhir at oracle.com
Mon Aug 28 00:31:13 EEST 2023 

How can I add multiple interfaces setup for opportunistic ipsec via .conf file. I am able to successfully use it for one interface(using private,clear-or-private, or private-or-clear), but in my configuration each machine participating has two interfaces and both on same subnet.
Following works-

# cat /etc/ipsec.d/ExaNoCert.conf

conn clear-or-private

        authby=null

        leftid=%null

        rightid=%null

        left=192.168.0.1

        right=%opportunisticgroup

        negotiationshunt=passthrough

        failureshunt=passthrough

        ikev2=insist

        auto=route

        type=transport

# cat /etc/ipsec.d/policies/clear-or-private

192.168.0.0/20



00 #1: "clear-or-private#192.168.0.0/20"[1] ...192.168.0.3:500 STATE_V2_ESTABLISHED_IKE_SA (established IKE SA); REKEY in 28244s; REPLACE in 28794s; newest; idle;

000 #2: "clear-or-private#192.168.0.0/20"[1] ...192.168.0.3:500 STATE_V2_ESTABLISHED_CHILD_SA (established Child SA); REKEY in 28103s; REPLACE in 28794s; newest; eroute owner; IKE SA #1; idle;

000 #2: "clear-or-private#192.168.0.0/20"[1] ...192.168.0.3 esp.699631cc at 192.168.0.3 esp.393c6cfd at 192.168.0.1 Traffic: ESPin=64B ESPout=64B ESPmax=2^63B

000


All nodes have two interfaces and each interface can communicate

# ip a s

3: re0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 2300 qdisc mq state UP group default qlen 1000

    link/ether 0c:42:a1:a4:30:06 brd ff:ff:ff:ff:ff:ff

    altname enp23s0f0np0

    altname ens5f0np0

    inet 192.168.0.1/20 brd 192.168.15.255 scope global noprefixroute re0

       valid_lft forever preferred_lft forever

4: re1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 2300 qdisc mq state UP group default qlen 1000

    link/ether 0c:42:a1:a4:30:07 brd ff:ff:ff:ff:ff:ff

    altname enp23s0f1np1

    altname ens5f1np1

    inet 192.168.0.2/20 brd 192.168.15.255 scope global noprefixroute re1

       valid_lft forever preferred_lft forever





I have even tried to have 192.168.0.1 as private and 192.168.0.2 as clear-or-private as I couldn’t figure out how to add to private-or-clear sections in .conf but I am unable to have this negotiation successful for more than one interface.



000 #1: "private-or-clear#192.168.0.0/20"[1] ...192.168.0.1:500 STATE_V2_ESTABLISHED_IKE_SA (established IKE SA); REKEY in 152s; REPLACE in 1064s; newest; idle;

000 #3: "private-or-clear#192.168.0.0/20"[1] ...192.168.0.1:500 STATE_V2_ESTABLISHED_CHILD_SA (established Child SA); REKEY in 98s; REPLACE in 1064s; newest; eroute owner; IKE SA #1; idle;

000 #3: "private-or-clear#192.168.0.0/20"[1] ...192.168.0.1 esp.9ba98d86 at 192.168.0.1 esp.1705f276 at 192.168.0.3 Traffic: ESPin=256B ESPout=256B ESPmax=2^63B

000 #2: "private-or-clear#192.168.0.0/20"[2] ...192.168.0.1:500 STATE_V2_PARENT_R1 (sent IKE_SA_INIT (or IKE_INTERMEDIATE) response); DISCARD in 183s; idle;

000 #4: "private-or-clear#192.168.0.0/20"[3] ...192.168.0.2:500 STATE_V2_PARENT_I1 (sent IKE_SA_INIT request); RETRANSMIT in 6s; idle;

000 #4: pending CHILD SA for "private-or-clear#192.168.0.0/20"[3] ...192.168.0.2

000


Any tips or advise will be highly appreciated.
Thanks
Mamta
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20230827/5db729d2/attachment.htm>

More information about the Swan mailing list