<div dir="ltr">Excuse my "stupidity".. but, how? :D<div><br></div><div>I am running on a debian 9 server</div></div><div class="gmail_extra"><br><div class="gmail_quote">2018-04-12 19:05 GMT+03:00 Paul Wouters <span dir="ltr"><<a href="mailto:paul@nohats.ca" target="_blank">paul@nohats.ca</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On Thu, 12 Apr 2018, Mircea Troaca wrote:<br>
<br>
Try the attached patch.<br>
<br>
Paul<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Date: Thu, 12 Apr 2018 12:00:48<br>
From: Mircea Troaca <<a href="mailto:mircea.troaca@net.ase.ro" target="_blank">mircea.troaca@net.ase.ro</a>><br>
To: <a href="mailto:swan@lists.libreswan.org" target="_blank">swan@lists.libreswan.org</a><br>
Subject: [Swan] Fwd:  Overlapping IP ranges<span class=""><br>
<br>
<br>
---------- Forwarded message ----------<br>
From: Mircea Troaca <<a href="mailto:mircea.troaca@net.ase.ro" target="_blank">mircea.troaca@net.ase.ro</a>><br>
Date: 2018-04-12 18:56 GMT+03:00<br>
Subject: Re: [Swan] Overlapping IP ranges<br>
To: Paul Wouters <<a href="mailto:paul@nohats.ca" target="_blank">paul@nohats.ca</a>><br>
<br>
<br></span>
I tried with overlapip=yes, when I add that to my connection, clients can connect well, but the same error, overlaps with connection bla bla bla..After I added mark= -1/0xffffffff,<div><div class="h5"><br>
clients can't connect anymore..<br>
<br>
2018-04-12 17:09 GMT+03:00 Paul Wouters <<a href="mailto:paul@nohats.ca" target="_blank">paul@nohats.ca</a>>:<br>
      On Wed, 11 Apr 2018, Mircea Troaca wrote:<br>
<br>
            libreswan + xl2tpd + a freeradius server. The problem occurs when two clients from different networks with the same network (192.168.0.x) try to access the<br>
            server.<br>
<br>
            Client A: 192.168.0.101<br>
                 -> he is the first who connects and it is succesful.<br>
<br>
            Client B: 192.168.0.101 (from different network, different location, using a router that gives 192.168.0.x)<br>
                 -> Virtual IP <a href="http://192.168.0.101/32" rel="noreferrer" target="_blank">192.168.0.101/32</a> overlaps with connection "L2TP-PSK-NAT"[11] xxx.xxx.xxx.xxx (kind=CK_INSTANCE) 'xxx.xxx.xxx.xxx'<br>
                 -> Kernel method 'netkey' does not support overlapping IP ranges<br>
<br>
<br>
      This should work, if you use marking to make each IPsec SA unique.<br>
<br>
      Try adding this to your connection:<br>
<br>
              overlapip=yes<br>
              mark=-1/0xffffffff<br>
<br>
      Paul<br>
<br>
            and the tunnel is not established...<br>
<br>
<br>
            here is my config of ipsec.conf<br>
<br>
            config setup<br>
              virtual-private=%v4:<a href="http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.150.0.0/24,%v4:!10.150.1.0/24" rel="noreferrer" target="_blank">10.0.0.0/8<wbr>,%v4:192.168.0.0/16,%v4:172.16<wbr>.0.0/12,%v4:!10.150.0.0/24,%v4<wbr>:!10.150.1.0/24</a><br>
              protostack=netkey<br>
              plutostderrlog=/var/log/ipsec.<wbr>log<br>
              interfaces=%defaultroute<br>
              uniqueids=no<br>
<br>
            include /etc/ipsec.d/l2tp-psk.conf<br>
<br>
<br>
            and here is the config of l2tp-psk.conf<br>
<br>
            conn L2TP-PSK-NAT<br>
                    rightsubnet=vhost:%priv<br>
                    also=L2TP-PSK-noNAT<br>
                ike=3des-sha1,3des-sha2,aes-sh<wbr>a1,aes-sha1;modp1024,aes-sha2,<wbr>aes-sha2;modp1024,aes256-sha2_<wbr>512<br>
                phase2alg=3des-sha1,3des-sha2,<wbr>aes-sha1,aes-sha2,aes256-sha2_<wbr>512<br>
                sha2-truncbug=yes<br>
<br>
            conn L2TP-PSK-noNAT<br>
                    # Use a Preshared Key. Disable Perfect Forward Secrecy.<br>
                    authby=secret<br>
                    pfs=no<br>
                    auto=add<br>
                    keyingtries=3<br>
                    # we cannot rekey for %any, let client rekey<br>
                    rekey=no<br>
                    # Apple iOS doesn't send delete notify so we need dead peer detection<br>
                    # to detect vanishing clients<br>
                    dpddelay=10<br>
                    dpdtimeout=90<br>
                    dpdaction=clear<br>
                    # Set ikelifetime and keylife to same defaults windows has<br>
                    ikelifetime=8h<br>
                    keylife=1h<br>
                    # l2tp-over-ipsec is transport mode<br>
                    type=transport<br>
                    #<br>
                    # left will be filled in automatically with the local address of the default-route interface (as determined at IPsec startup time).<br>
                    left=%defaultroute<br>
                    #<br>
                    # For updated Windows 2000/XP clients,<br>
                    # to support old clients as well, use leftprotoport=17/%any<br>
                    leftprotoport=17/1701<br>
                    #<br>
                    # The remote user.<br>
                    #<br>
                    right=%any<br>
                    # Using the magic port of "%any" means "any one single port". This is<br>
                    # a work around required for Apple OSX clients that use a randomly<br>
                    # high port.<br>
                    rightprotoport=17/%any<br>
<br>
<br>
            Thank you in advice!<br>
<br>
<br>
<br>
<br>
<br>
</div></div></blockquote>
</blockquote></div><br></div>