<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>
</head>
<body dir="ltr">
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
Thanks Paul, this works.</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
Wei</div>
<div id="appendonsend"></div>
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>From:</b> Paul Wouters <paul@nohats.ca><br>
<b>Sent:</b> Thursday, July 15, 2021 11:28 AM<br>
<b>To:</b> Wei Huang <wei.hu.huang@oracle.com><br>
<b>Cc:</b> Swan@lists.libreswan.org <Swan@lists.libreswan.org><br>
<b>Subject:</b> [External] : Re: [Swan] Setup multiple IPSec tunnels to remote site with same protected networks</font>
<div> </div>
</div>
<div dir="auto">Add overlapip=yes to both connections and see if that is enough ?<br>
<br>
<div dir="ltr">Sent using a virtual keyboard on a phone</div>
<div dir="ltr"><br>
<blockquote type="cite">On Jul 15, 2021, at 10:55, Wei Huang <wei.hu.huang@oracle.com> wrote:<br>
<br>
</blockquote>
</div>
<blockquote type="cite">
<div dir="ltr">
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
I tried to set up 2 IPSec tunnels to remote site with same protected networks. Only one tunnel can be fully setup. The other one got the following error message:</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
Jul 13 21:58:48.166338: "MPLS_Group_2" #26: cannot route -- route already in use for "MPLS_Group_1"<br>
Jul 13 21:58:48.166352: "MPLS_Group_2" #26: encountered fatal error in state STATE_PARENT_I2<br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
Is this use case supported in libreswan? If yes, what do I need to do? Iam using Libreswan 3.32.</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
My side's config:</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
conn MPLS_Group_1
<div>left=10.0.0.6</div>
<div>leftsubnet=10.0.0.0/16</div>
<div><br>
</div>
<div>right=10.104.0.100</div>
<div>rightsubnet=10.104.0.0/16</div>
<div><br>
</div>
<div>authby=secret</div>
<div>nat-keepalive=yes</div>
<div>auto=start</div>
<div>rekey=yes</div>
<div>ikev2=yes</div>
<div>ike=aes128-sha2;dh5</div>
<div>ikelifetime=3600</div>
<div>dpdtimeout=300</div>
<div>dpddelay=15</div>
<div>phase2=esp</div>
<div>phase2alg=aes_gcm256-null</div>
<div>pfs=no</div>
<span>salifetime=86400</span><br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<span><br>
</span></div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<span>conn MPLS_Group_2
<div>left=10.0.0.6</div>
<div>leftsubnet=10.0.0.0/16</div>
<div><br>
</div>
<div>right=10.104.0.101</div>
<div>rightsubnet=10.104.0.0/16</div>
<div><br>
</div>
<div>authby=secret</div>
<div>nat-keepalive=yes</div>
<div>auto=start</div>
<div>rekey=yes</div>
<div>ikev2=yes</div>
<div>ike=aes128-sha2;dh5</div>
<div>ikelifetime=3600</div>
<div>dpdtimeout=300</div>
<div>dpddelay=15</div>
<div>phase2=esp</div>
<div>phase2alg=aes_gcm256-null</div>
<div>pfs=no</div>
<span>salifetime=86400</span><br>
</span></div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<span><span><br>
</span></span></div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<span><span><br>
</span></span></div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<span><span>Remote site is 2 VMs, each has StrongSwan running. </span></span></div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<span><span>Config on VM1:</span></span></div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<span><span>conn talari
<div>        left=10.104.0.101</div>
<div>        leftid=10.104.0.101</div>
<div>        leftsubnet=10.104.1.0/16</div>
<div>        leftauth=psk</div>
<div><br>
</div>
<div>        right=10.0.0.6</div>
<div>        rightid=10.0.0.6</div>
<div>        rightsubnet=10.0.0.0/16</div>
<div>        rightauth=psk</div>
<div>        auto=start</div>
<div>        ike=aes128-sha1-modp1536<br>
</div>
<div>        esp=aes256gcm16<br>
</div>
<div><br>
</div>
<div>Config on VM2:</div>
<div>conn talari
<div>        left=10.104.0.100</div>
<div>        leftid=10.104.0.100</div>
<div>        leftsubnet=10.104.1.0/16</div>
<div>        leftauth=psk<br>
</div>
<div><br>
</div>
<div>        right=10.0.0.6</div>
<div>        rightid=10.0.0.6</div>
<div>        rightsubnet=10.0.0.0/16</div>
<div>        rightauth=psk</div>
<div>        auto=start</div>
<div>        ike=aes128-sha1-modp1536</div>
<span>        esp=aes256gcm16</span><br>
</div>
<div><span><br>
</span></div>
<div><span><br>
</span></div>
<div><span>Thanks,</span></div>
<div><span>Wei</span></div>
</span></span></div>
<span>_______________________________________________</span><br>
<span>Swan mailing list</span><br>
<span>Swan@lists.libreswan.org</span><br>
<span><a href="https://urldefense.com/v3/__https://lists.libreswan.org/mailman/listinfo/swan__;!!ACWV5N9M2RV99hQ!YJbxVF89GqwmPg4Cn__zc7csJrDKLGJ5liM_m8-2a4H41mHko97ACNzWH_cgtEQC0w$">https://lists.libreswan.org/mailman/listinfo/swan</a></span><br>
</div>
</blockquote>
</div>
</body>
</html>