[Swan] Question on opportunistic ipsec for multiple interfaces on same subnet
Paul Wouters
paul at nohats.ca
Mon Aug 28 22:04:39 EEST 2023
On Sun, 27 Aug 2023, Mamta Gambhir wrote:
> How can I add multiple interfaces setup for opportunistic ipsec via .conf file. I am able to successfully use it for one
> interface(using private,clear-or-private, or private-or-clear), but in my configuration each machine participating has two
> interfaces and both on same subnet.
We have never tried to make that work. It is a bit unusual a setup :P
You can try copying the OE connections (private, clear-or-private, etc
etc to private2, clear-or-private2, etc etc) and changing the left=
for the other IP.
> # cat /etc/ipsec.d/ExaNoCert.conf
>
> conn clear-or-private
> authby=null
> leftid=%null
> rightid=%null
> left=192.168.0.1
> right=%opportunisticgroup
> negotiationshunt=passthrough
> failureshunt=passthrough
> ikev2=insist
> auto=route
> type=transport
Note that this is unusual. clear-or-private is a "respond only"
connection, so it should have auto=add, not auto=route. The
connection private-or-clear would be the one that has auto=route
> # cat /etc/ipsec.d/policies/clear-or-private
>
> 192.168.0.0/20
I'm not sure if this will be picked up by the new connection names :/
It might not without some little tweaking in the code (programs/pluto/foodgroups.c)
We could look at adding an option that sets the opportunistic group name
in the connection so the "private2" could set the group name to
"private".
Paul
More information about the Swan
mailing list