<div dir="ltr">libreswan will not allow identical rightsubnet settings to overlap between ipsec configurations.Here is my current topology:<br><br>| Juniper VSRX01 | ---------| ens4(vti01) - CentOS libreswan - ens4(vti02) |--------- | Juniper VSRX02 | <br><br>Here is my current configuration:<br><br><font face="monospace">conn to-vsrx-01<br> auto=start<br> authby=secret<br> ike=aes256-sha2_256;dh20<br> esp=aes256-sha2_256<br> left=2.2.0.2<br> leftid=2.2.0.2<br> leftsubnet=<a href="http://172.21.0.0/29">172.21.0.0/29</a><br> leftupdown=/opt/_updown_vti01<br> right=3.3.0.2<br> rightsubnet=<a href="http://0.0.0.0/0">0.0.0.0/0</a><br> salifetime=300s<br><br>conn to-vsrx-02<br> auto=start<br> authby=secret<br> ike=aes256-sha2_256;dh20<br> esp=aes256-sha2_256<br> left=2.2.0.2<br> leftid=2.2.0.2<br> leftsubnet=<a href="http://172.22.0.0/29">172.22.0.0/29</a><br> leftupdown=/opt/_updown_vti02<br> right=3.3.1.2<br> rightsubnet=<a href="http://0.0.0.0/0">0.0.0.0/0</a><br> salifetime=300s</font><br><br>If you notice I have "rightsubnet=<a href="http://0.0.0.0/0">0.0.0.0/0</a>" in both configs. Obviously this will not work. I see the following when trying to turn up to-vsrx-02 after turning up to-vsrx-01. As you can see "
003 "to-vsrx-02" #1340: cannot route -- route already in use for "to-vsrx-01"" appears for the to-vsrx-02 connection.<br><br># ipsec auto --up to-vsrx-01<br>181 "to-vsrx-01" #1337: initiating IKEv2 connection<br>181 "to-vsrx-01" #1337: sent IKE_SA_INIT request<br>182 "to-vsrx-01" #1337: sent IKE_AUTH request {cipher=AES_CBC_256 integ=HMAC_SHA2_256_128 prf=HMAC_SHA2_256 group=DH20}<br>003 "to-vsrx-01" #1337: established IKE SA; authenticated using authby=secret and peer ID_IPV4_ADDR '3.3.0.2'<br>002 "to-vsrx-01" #1338: up-client output: net.ipv4.conf.vti01.disable_policy = 1<br>002 "to-vsrx-01" #1338: up-client output: net.ipv4.conf.vti01.rp_filter = 0<br>002 "to-vsrx-01" #1338: up-client output: net.ipv4.conf.vti01.forwarding = 1<br>004 "to-vsrx-01" #1338: established Child SA; IPsec tunnel [172.21.0.0-172.21.0.7:0-65535 0] -> [0.0.0.0-255.255.255.255:0-65535 0] {ESP=>0x94d8850e <0x47c32cc8 xfrm=AES_CBC_256-HMAC_SHA2_256_128 NATOA=none NATD=none DPD=passive}<br><br># ipsec auto --up to-vsrx-02<br>181 "to-vsrx-02" #1339: initiating IKEv2 connection<br>181 "to-vsrx-02" #1339: sent IKE_SA_INIT request<br>182 "to-vsrx-02" #1339: sent IKE_AUTH request {cipher=AES_CBC_256 integ=HMAC_SHA2_256_128 prf=HMAC_SHA2_256 group=DH20}<br>003 "to-vsrx-02" #1339: established IKE SA; authenticated using authby=secret and peer ID_IPV4_ADDR '3.3.1.2'<br><b>003 "to-vsrx-02" #1340: cannot route -- route already in use for "to-vsrx-01"</b><br>003 "to-vsrx-02" #1340: CHILD SA encountered fatal error: INVALID_SYNTAX<br>036 "to-vsrx-02" #1339: encountered fatal error in state STATE_V2_ESTABLISHED_IKE_SA<br>003 "to-vsrx-02" #1340: ERROR: netlink response for Del SA <a href="mailto:esp.f15072cb@3.3.1.2">esp.f15072cb@3.3.1.2</a> included errno 3: No such process<br>002 "to-vsrx-02" #1339: deleting state (STATE_V2_ESTABLISHED_IKE_SA) aged 0.03894s and NOT sending notification<br>002 "to-vsrx-02" #1339: deleting IKE SA but connection is supposed to remain up; schedule EVENT_REVIVE_CONNS<br><br>I want to use to-vsrx-02 as a backup ipsec tunnel. I thought I could set a higher metric for <a href="http://0.0.0.0/0">0.0.0.0/0</a> in my routing table (which I can) but libreswan refuses to stand up the tunnel as to-vsrx-01 has the same entry for rightsubnet.<br><br>What options do I have for setting up a backup ipsec tunnel in libreswan?<br><br>I read a little bit about "mobike" but its not clear how to use it or apply it to a configuration other than setting "mobike=yes" in my config, or if I need to do something special on the far end SA connection. Also documentation says using mobike with a VTI maybe a problem.<br><br>Is there any solution out there I can use? <br><br>- Dave<br><br></div>