<div dir="ltr"><div>Hello All, </div><div><br></div><div><span style="font-family:Calibri,sans-serif;font-size:14.6667px">Can someone please advise me on the below.</span>  <br></div><div><span style="font-family:Calibri,sans-serif;font-size:11pt"> </span><br></div><div><p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><b>Overview:</b></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">I have
two connection profiles on my responder with right=%any. For both the
connections the rightsubnet/leftsubnet are set to <a href="http://0.0.0.0/0">0.0.0.0/0</a>.  Setting up an XFRMi interface for each
connection.</p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> </p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><b>Question:</b> With this configuration, my the first tunnel comes up successfully but my second tunnel fails with “route
already in use” error?</p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><br></p><p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Given
that I have two different XRFMi interfaces shouldn’t we allow route (<a href="http://0.0.0.0/0">0.0.0.0/0</a> ->
 <a href="http://0.0.0.0/0">0.0.0.0/0</a> subnets) for individual XFRMi
to run iBGP? What am I missing<span style="font-size:11pt">? Any recommendations please?</span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><br></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Below are some captures and logs that highlight the issue.</p><p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><br></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><b>XFRMi = ipsec1</b></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">"gateway01":
<a href="http://0.0.0.0/0===10.11.0.254">0.0.0.0/0===10.11.0.254</a><10.11.0.254>[@libswan]...%any[@strswan01]===<a href="http://0.0.0.0/0">0.0.0.0/0</a>;
unrouted; eroute owner: #0</p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> </p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><b>Connection Successful: </b></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">"gateway01"[1]:
<a href="http://0.0.0.0/0===10.11.0.254">0.0.0.0/0===10.11.0.254</a><10.11.0.254>[@libswan]...10.11.0.1[@strswan01]===<a href="http://0.0.0.0/0">0.0.0.0/0</a>;
erouted; eroute owner: #2</p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> </p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Apr 28
17:28:56.693693: | add inbound eroute <a href="http://0.0.0.0/0:0">0.0.0.0/0:0</a> --0-> <a href="http://0.0.0.0/0:0">0.0.0.0/0:0</a> =>
<a href="mailto:tun.10000@10.11.0.254">tun.10000@10.11.0.254</a> using reqid 16397 (raw_eroute)</p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Apr 28
17:28:56.693697: | IPsec Sa SPD priority set to 2097151</p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Apr 28
17:28:56.693699: | netlink_raw_eroute netlink: XFRMA_IF_ID  1 req.n.nlmsg_type=25</p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Apr 28
17:28:56.693713: | <b>raw_eroute
result=success</b></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> </p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Apr 28
17:28:56.693727: | FOR_EACH_CONNECTION_... in route_owner</p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Apr 28
17:28:56.693729: |  conn gateway01 mark
0/00000000, 0/00000000 vs</p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Apr 28
17:28:56.693731: |  conn gateway01 mark
0/00000000, 0/00000000</p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Apr 28
17:28:56.693733: |  conn gateway01 mark
0/00000000, 0/00000000 vs</p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Apr 28
17:28:56.693735: |  conn gateway02 mark
0/00000000, 0/00000000</p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Apr 28
17:28:56.693738: |  conn gateway01 mark
0/00000000, 0/00000000 vs</p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Apr 28
17:28:56.693740: |  conn gateway01 mark
0/00000000, 0/00000000</p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">_ROUTEApr
28 17:28:56.693744: <b>| route owner of
"gateway01"[1] 10.11.0.1 unrouted: NULL; eroute owner: NULL</b></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Apr 28
17:28:56.693752: | route_and_eroute with c: gateway01 (next: none) ero:null
esr:{(nil)} ro:null rosr:{(nil)} and state: #2</p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Apr 28
17:28:56.693755: | priority calculation of connection "gateway01" is
0x1fffff</p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Apr 28
17:28:56.693760: | eroute_connection add eroute <a href="http://0.0.0.0/0:0">0.0.0.0/0:0</a> --0->
<a href="http://0.0.0.0/0:0">0.0.0.0/0:0</a> => <a href="mailto:tun.0@10.11.0.1">tun.0@10.11.0.1</a> using reqid 16397 (raw_eroute)</p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Apr 28
17:28:56.693763: | IPsec Sa SPD priority set to 2097151</p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Apr 28
17:28:56.693765: | netlink_raw_eroute netlink: XFRMA_IF_ID  1 req.n.nlmsg_type=25</p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Apr 28
17:28:56.693774: | raw_eroute result=success</p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Apr 28
17:28:56.693779: | running updown command "ipsec _updown" for verb up</p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Apr 28
17:28:56.693781: | command executing up-client</p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Apr 28
17:28:56.693802: | executing up-client: PLUTO_VERB='up-client'
PLUTO_VERSION='2.0' PLUTO_CONNECTION='gateway01' PLUTO_VIRT_INTERFACE='ipsec1'
PLUTO_INTERFACE='ens224' PLUTO_XFRMI_ROUTE='yes' PLUTO_NEXT_HOP='10.11.0.1'
PLUTO_ME='10.11.0.254' PLUTO_MY_ID='@libswan' PLUTO_MY_CLIENT='<a href="http://0.0.0.0/0">0.0.0.0/0</a>'
PLUTO_MY_CLIENT_NET='0.0.0.0' PLUTO_MY_CLIENT_MASK='0.0.0.0' PLUTO_MY_PORT='0'
PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16396' PLUTO_SA_TYPE='ESP'
PLUTO_PEER='10.11.0.1' PLUTO_PEER_ID='@strswan01' PLUTO_PEER_CLIENT='<a href="http://0.0.0.0/0">0.0.0.0/0</a>'
PLUTO_PEER_CLIENT_NET='0.0.0.0' PLUTO_PEER_CLIENT_MASK='0.0.0.0' PLUTO_PEER_PORT='0'
PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0'
PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+DONT_REKEY+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO'
PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0
PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO=''
PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0'
PLUTO_NM_CONFIGURED='0' PLUTO_XFRMI_FWMARK='1/0...</p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> </p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> </p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> </p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><b>XFRMi= ipsec2</b></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">"gateway02":
<a href="http://0.0.0.0/0===10.11.0.254">0.0.0.0/0===10.11.0.254</a><10.11.0.254>[@libswan]...%any[@strswan02]===<a href="http://0.0.0.0/0">0.0.0.0/0</a>;
unrouted; eroute owner: #0</p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> </p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><b>Connection Fail: </b></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">"gateway02"[1]:
<a href="http://0.0.0.0/0===10.11.0.254">0.0.0.0/0===10.11.0.254</a><10.11.0.254>[@libswan]...10.11.0.2[@strswan02]===<a href="http://0.0.0.0/0">0.0.0.0/0</a>;
unrouted; eroute owner: #0</p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> </p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">FOR_EACH_CONNECTION_...
in ISAKMP_SA_established</p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Apr 28
17:28:58.267631: |     #3 spent 1.58
milliseconds</p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Apr 28
17:28:58.267633: | install_ipsec_sa() for #4: inbound and outbound</p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Apr 28
17:28:58.267635: | could_route called for gateway02 (kind=CK_INSTANCE)</p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Apr 28
17:28:58.267637: | FOR_EACH_CONNECTION_... in route_owner</p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Apr 28
17:28:58.267639: |  conn gateway02 mark
0/00000000, 0/00000000 vs</p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Apr 28
17:28:58.267641: |  conn gateway02 mark
0/00000000, 0/00000000</p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Apr 28
17:28:58.267643: |  conn gateway02 mark
0/00000000, 0/00000000 vs</p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Apr 28
17:28:58.267645: |  conn gateway01 mark
0/00000000, 0/00000000</p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Apr 28
17:28:58.267647: |  conn gateway02 mark
0/00000000, 0/00000000 vs</p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Apr 28
17:28:58.267649: |  conn gateway02 mark
0/00000000, 0/00000000</p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Apr 28
17:28:58.267650: |  conn gateway02 mark
0/00000000, 0/00000000 vs</p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Apr 28
17:28:58.267652: |  conn gateway01 mark
0/00000000, 0/00000000</p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Apr 28
17:28:58.267658: | route owner of "gateway02"[1] 10.11.0.2 unrouted:
"gateway01"[1] 10.11.0.1 erouted; eroute owner:
"gateway01"[1] 10.11.0.1 erouted</p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Apr 28
17:28:58.267662: <b><font color="#ff0000">"gateway02"[1] 10.11.0.2 #3: cannot route -- route
already in use for "gateway01"[1] 10.11.0.1</font></b></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Apr 28
17:28:58.267665: | <b><font color="#ff0000">ikev2_child_sa_respond returned STF_FATAL</font></b></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Apr 28
17:28:58.267667: | ikev2_parent_inI2outR2_continue_tail returned STF_FATAL</p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Apr 28
17:28:58.267670: |   #3 spent 1.62
milliseconds in processing: Responder: process IKE_AUTH request in
v2_dispatch()</p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Apr 28
17:28:58.267672: | <a href="http://MD.ST">MD.ST</a> contains the CHILD SA #4</p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Apr 28
17:28:58.267676: | suspend processing: state #3 connection
"gateway02"[1] 10.11.0.2 from <a href="http://10.11.0.2:4500">10.11.0.2:4500</a> (in
complete_v2_state_transition() at ikev2.c:3229)</p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Apr 28
17:28:58.267679: | start processing: state #4 connection
"gateway02"[1] 10.11.0.2 from <a href="http://10.11.0.2:4500">10.11.0.2:4500</a> (in
complete_v2_state_transition() at ikev2.c:3229)</p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Apr 28
17:28:58.267682: | #4 complete_v2_state_transition() UNDEFINED -> V2_IPSEC_R
with status STF_FATAL; transition.[from]state=PARENT_R1</p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Apr 28
17:28:58.267685: "gateway02"[1] 10.11.0.2 #4: encountered fatal error
in state STATE_UNDEFINED</p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> </p><p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:11pt">Thank you,      </span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">-Rav Ya</p></div></div>