<div dir="ltr"><div class="gmail_quote"><div dir="ltr" class="gmail_attr"><br></div><div lang="EN-US" link="#0563C1" vlink="#954F72"><div class="m_-4261098580734652370WordSection1"><div><div style="border:none;border-top:solid #e1e1e1 1.0pt;padding:3.0pt 0in 0in 0in">
</div>
</div>
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<div align="center">
<table border="0" cellpadding="0" width="100%" style="width:100.0%;background:#ffeb9c">
<tbody>
<tr>
<td style="padding:.75pt .75pt .75pt .75pt">
<p class="MsoNormal"><b><span style="color:red">WARNING:</span></b> The sender of this email could not be validated and may not match the person in the "From" field.<u></u><u></u></p>
</td>
</tr>
</tbody>
</table>
</div>
</div>
<table border="0" cellpadding="0" align="left" style="background:#fffb00">
<tbody>
<tr>
<td style="padding:.75pt .75pt .75pt .75pt">
<p class="MsoNormal" align="center" style="text-align:center">
<b><span style="color:red">**EXTERNAL EMAIL**</span></b> <u></u><u></u></p>
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Objective of the Libreswan server setup :
<u></u><u></u></p>
<ol start="1" type="1">
<li class="m_-4261098580734652370MsoListParagraph" style="margin-left:0in">
Dialup VPN server for remote clients . <u></u><u></u></li><li class="m_-4261098580734652370MsoListParagraph" style="margin-left:0in">
Each remote client has preconfigured data path subnets for IPSEC traffic . <u></u><u></u></li><ol start="1" type="a">
<li class="m_-4261098580734652370MsoListParagraph" style="margin-left:0in">
The subnet is part of the Phase2 selector for traffic . <u></u><u></u></li><li class="m_-4261098580734652370MsoListParagraph" style="margin-left:0in">
We want to avoid pre-configuration of this subnet (shown below) on the server side since we’re trying to scale this against thousands of remotes and many vpn servers
<u></u><u></u></li></ol>
<li class="m_-4261098580734652370MsoListParagraph" style="margin-left:0in">
Individual VTI for each remote client subnet – this is preferred <u></u><u></u></li></ol>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"><b><span style="font-size:14.0pt">Test Setup:<u></u><u></u></span></b></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"><img width="1297" height="633" style="width:13.5104in;height:6.5937in" id="m_-4261098580734652370Picture_x0020_1" src="cid:170c4ffdde24cff311" alt="cid:image001.png@01D5F637.3A29CDB0"><u></u><u></u></p>
<p class="MsoNormal"><b>Question 1:</b>
<span style="color:black">Is there a way </span>we<span style="color:black"> can have only one "leftid" for the all the
</span>remote clients<span style="color:black"> </span>(strongswan)<span style="color:black">?<u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:black">>> O</span>n<span style="color:black">e
<span style="background:yellow">conn block</span> </span>on the libreswan server configuration
<span style="color:black">for all the remote clients.</span><u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"><span style="color:black;background:yellow">conn ipsec01<u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:black;background:yellow">
</span><a href="mailto:leftid=@libswan1.com" target="_blank"><span style="background:yellow">leftid=@libswan1.com</span></a><span style="color:black;background:yellow"><u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:black;background:yellow"> rightsubnet=<a href="http://10.10.0.1/32" target="_blank">10.10.0.1/32</a></span><span style="color:black"><u></u><u></u></span></p>
<p class="MsoNormal"><b>Question 2:</b>
<span style="color:black">Also when </span>we <span style="color:black">set the "rightsubnet=<a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a>"
</span>(on the libreswan Server) <span style="color:black">the IPSec </span>f<span style="color:black">ail due to </span>:
<u></u><u></u></p>
<p class="MsoNormal">The first IPSec 01 connection is successful but the second IPSec 02 phase 2 fails and throws following error:<u></u><u></u></p>
<p class="MsoNormal"><span style="color:black">>> psec02"[1] 10.11.0.2 #10: cannot install eroute -- it is in use for "ipsec01"[7] 10.11.0.1 #11<br>
Mar 9 15:55:33.178415: | delete inbound eroute <a href="http://0.0.0.0/0:0" target="_blank">0.0.0.0/0:0</a> --0-> <a href="http://0.0.0.0/0:0" target="_blank">0.0.0.0/0:0</a> => </span>
<a href="mailto:unk255.10000@10.11.251.252" target="_blank">unk255.10000@10.11.251.252</a><span style="color:black"> (raw_eroute)<u></u><u></u></span></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"><span style="color:black;background:yellow">conn ipsec01<u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:black;background:yellow">
</span><a href="mailto:leftid=@libswan1.com" target="_blank"><span style="background:yellow">leftid=@libswan1.com</span></a><span style="color:black;background:yellow"><u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:black;background:yellow"> rightsubnet=<a href="http://10.10.0.1/32" target="_blank">10.10.0.1/32</a></span><span style="color:black"><u></u><u></u></span></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"><b>Due to the above two limitation we have to define a conn: block on the libreswan server for every remote side client which we are trying to avoid.<u></u><u></u></b></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"><img border="0" width="998" height="657" style="width:10.3958in;height:6.8437in" id="m_-4261098580734652370Picture_x0020_2" src="cid:170c4ffdde35b16b22" alt="cid:image002.png@01D5F637.3A29CDB0"><u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
</div>
</div>
</div></div>