
<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">

<head>

<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">

<meta name="Generator" content="Microsoft Word 15 (filtered medium)">

<style><!--

/* Font Definitions */

@font-face

        {font-family:"Cambria Math";

        panose-1:2 4 5 3 5 4 6 3 2 4;}

@font-face

        {font-family:Calibri;

        panose-1:2 15 5 2 2 2 4 3 2 4;}

@font-face

        {font-family:Menlo;

        panose-1:2 11 6 9 3 8 4 2 2 4;}

/* Style Definitions */

p.MsoNormal, li.MsoNormal, div.MsoNormal

        {margin:0in;

        font-size:12.0pt;

        font-family:"Calibri",sans-serif;}

span.EmailStyle17

        {mso-style-type:personal-compose;

        font-family:"Calibri",sans-serif;

        color:windowtext;}

p.p1, li.p1, div.p1

        {mso-style-name:p1;

        margin:0in;

        font-size:9.0pt;

        font-family:Menlo;

        color:black;}

span.s1

        {mso-style-name:s1;}

span.apple-converted-space

        {mso-style-name:apple-converted-space;}

.MsoChpDefault

        {mso-style-type:export-only;

        font-size:12.0pt;

        font-family:"Calibri",sans-serif;}

@page WordSection1

        {size:8.5in 11.0in;

        margin:1.0in 1.0in 1.0in 1.0in;}

div.WordSection1

        {page:WordSection1;}

--></style>

</head>

<body lang="EN-US" link="#0563C1" vlink="#954F72" style="word-wrap:break-word">

<div class="WordSection1">

<p class="MsoNormal"><span style="font-size:11.0pt">How can I add multiple interfaces setup for opportunistic ipsec via .conf file. I am able to successfully use it for one interface(using private,clear-or-private, or private-or-clear), but in my configuration

 each machine participating has two interfaces and both on same subnet.<o:p></o:p></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt">Following works-<o:p></o:p></span></p>

<p class="p1"><span class="s1"># cat /etc/ipsec.d/ExaNoCert.conf</span><span class="apple-converted-space"> </span><o:p></o:p></p>

<p class="p1"><span class="s1">conn clear-or-private</span><o:p></o:p></p>

<p class="p1"><span class="apple-converted-space">        </span><span class="s1">authby=null</span><o:p></o:p></p>

<p class="p1"><span class="apple-converted-space">        </span><span class="s1">leftid=%null</span><o:p></o:p></p>

<p class="p1"><span class="apple-converted-space">        </span><span class="s1">rightid=%null</span><o:p></o:p></p>

<p class="p1"><span class="apple-converted-space">        </span><span class="s1">left=192.168.0.1</span><o:p></o:p></p>

<p class="p1"><span class="apple-converted-space">        </span><span class="s1">right=%opportunisticgroup</span><o:p></o:p></p>

<p class="p1"><span class="apple-converted-space">        </span><span class="s1">negotiationshunt=passthrough</span><o:p></o:p></p>

<p class="p1"><span class="apple-converted-space">        </span><span class="s1">failureshunt=passthrough</span><o:p></o:p></p>

<p class="p1"><span class="apple-converted-space">        </span><span class="s1">ikev2=insist</span><o:p></o:p></p>

<p class="p1"><span class="apple-converted-space">        </span><span class="s1">auto=route</span><o:p></o:p></p>

<p class="p1"><span class="apple-converted-space">        </span><span class="s1">type=transport</span><o:p></o:p></p>

<p class="p1"><span class="s1"># cat /etc/ipsec.d/policies/clear-or-private</span><span class="apple-converted-space"> </span><o:p></o:p></p>

<p class="p1"><span class="s1">192.168.0.0/20<o:p></o:p></span></p>

<p class="p1"><span class="s1"><o:p> </o:p></span></p>

<p class="p1"><span class="s1">00 #1: "clear-or-private#192.168.0.0/20"[1] ...192.168.0.3:500 STATE_V2_ESTABLISHED_IKE_SA (established IKE SA); REKEY in 28244s; REPLACE in 28794s; newest; idle;</span><o:p></o:p></p>

<p class="p1"><span class="s1">000 #2: "clear-or-private#192.168.0.0/20"[1] ...192.168.0.3:500 STATE_V2_ESTABLISHED_CHILD_SA (established Child SA); REKEY in 28103s; REPLACE in 28794s; newest; eroute owner; IKE SA #1; idle;</span><o:p></o:p></p>

<p class="p1"><span class="s1">000 #2: "clear-or-private#192.168.0.0/20"[1] ...192.168.0.3 esp.699631cc@192.168.0.3 esp.393c6cfd@192.168.0.1 Traffic: ESPin=64B ESPout=64B ESPmax=2^63B</span><span class="apple-converted-space"> </span><o:p></o:p></p>

<p class="p1"><span class="s1">000 </span><span class="apple-converted-space"> </span><o:p></o:p></p>

<p class="p1"><o:p> </o:p></p>

<p class="MsoNormal"><span style="font-size:11.0pt">All nodes have two interfaces and each interface can communicate

<o:p></o:p></span></p>

<p class="p1"><span class="s1"># ip a s</span><span class="apple-converted-space"> </span><o:p></o:p></p>

<p class="p1"><span class="s1">3: re0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 2300 qdisc mq state UP group default qlen 1000</span><o:p></o:p></p>

<p class="p1"><span class="apple-converted-space">    </span><span class="s1">link/ether 0c:42:a1:a4:30:06 brd ff:ff:ff:ff:ff:ff</span><o:p></o:p></p>

<p class="p1"><span class="apple-converted-space">    </span><span class="s1">altname enp23s0f0np0</span><o:p></o:p></p>

<p class="p1"><span class="apple-converted-space">    </span><span class="s1">altname ens5f0np0</span><o:p></o:p></p>

<p class="p1"><span class="apple-converted-space">    </span><span class="s1">inet

<span style="background:yellow;mso-highlight:yellow">192.168.0.1/20</span> brd 192.168.15.255 scope global noprefixroute re0</span><o:p></o:p></p>

<p class="p1"><span class="apple-converted-space">       </span><span class="s1">valid_lft forever preferred_lft forever</span><o:p></o:p></p>

<p class="p1"><span class="s1">4: re1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 2300 qdisc mq state UP group default qlen 1000</span><o:p></o:p></p>

<p class="p1"><span class="apple-converted-space">    </span><span class="s1">link/ether 0c:42:a1:a4:30:07 brd ff:ff:ff:ff:ff:ff</span><o:p></o:p></p>

<p class="p1"><span class="apple-converted-space">    </span><span class="s1">altname enp23s0f1np1</span><o:p></o:p></p>

<p class="p1"><span class="apple-converted-space">    </span><span class="s1">altname ens5f1np1</span><o:p></o:p></p>

<p class="p1"><span class="apple-converted-space">    </span><span class="s1">inet

<span style="background:yellow;mso-highlight:yellow">192.168.0.2/20</span> brd 192.168.15.255 scope global noprefixroute re1</span><o:p></o:p></p>

<p class="p1"><span class="apple-converted-space">       </span><span class="s1">valid_lft forever preferred_lft forever<o:p></o:p></span></p>

<p class="p1"><span class="s1"><o:p> </o:p></span></p>

<p class="p1"><span class="s1"><o:p> </o:p></span></p>

<p class="p1"><span class="s1">I have even tried to have 192.168.0.1 as private and 192.168.0.2 as clear-or-private as I couldn’t figure out how to add to private-or-clear sections in .conf but I am unable to have this negotiation successful for more than one

 interface.<o:p></o:p></span></p>

<p class="p1"><span class="s1"><o:p> </o:p></span></p>

<p class="p1"><span class="s1">000 #1: "private-or-clear#192.168.0.0/20"[1] ...192.168.0.1:500 STATE_V2_ESTABLISHED_IKE_SA (established IKE SA); REKEY in 152s; REPLACE in 1064s; newest; idle;</span><o:p></o:p></p>

<p class="p1"><span class="s1">000 #3: "private-or-clear#192.168.0.0/20"[1] ...192.168.0.1:500 STATE_V2_ESTABLISHED_CHILD_SA (established Child SA); REKEY in 98s; REPLACE in 1064s; newest; eroute owner; IKE SA #1; idle;</span><o:p></o:p></p>

<p class="p1"><span class="s1">000 #3: "private-or-clear#192.168.0.0/20"[1] ...192.168.0.1 esp.9ba98d86@192.168.0.1 esp.1705f276@192.168.0.3 Traffic: ESPin=256B ESPout=256B ESPmax=2^63B</span><span class="apple-converted-space"> </span><o:p></o:p></p>

<p class="p1"><span class="s1">000 #2: "private-or-clear#192.168.0.0/20"[2] ...192.168.0.1:500 STATE_V2_PARENT_R1 (sent IKE_SA_INIT (or IKE_INTERMEDIATE) response); DISCARD in 183s; idle;</span><o:p></o:p></p>

<p class="p1"><span class="s1">000 #4: "private-or-clear#192.168.0.0/20"[3] ...192.168.0.2:500 STATE_V2_PARENT_I1 (sent IKE_SA_INIT request); RETRANSMIT in 6s; idle;</span><o:p></o:p></p>

<p class="p1"><span class="s1">000 #4: pending CHILD SA for "private-or-clear#192.168.0.0/20"[3] ...192.168.0.2</span><o:p></o:p></p>

<p class="p1"><span class="s1">000 </span><span class="apple-converted-space"> </span><o:p></o:p></p>

<p class="p1"><span class="s1"><o:p> </o:p></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt">Any tips or advise will be highly appreciated.<o:p></o:p></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt">Thanks<o:p></o:p></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt">Mamta<o:p></o:p></span></p>

</div>

</body>

</html>