
<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">

<head>

<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">

<meta name="Generator" content="Microsoft Word 15 (filtered medium)">

<style><!--

/* Font Definitions */

@font-face

        {font-family:"Cambria Math";

        panose-1:2 4 5 3 5 4 6 3 2 4;}

@font-face

        {font-family:Calibri;

        panose-1:2 15 5 2 2 2 4 3 2 4;}

@font-face

        {font-family:Menlo;

        panose-1:2 11 6 9 3 8 4 2 2 4;}

/* Style Definitions */

p.MsoNormal, li.MsoNormal, div.MsoNormal

        {margin:0in;

        font-size:11.0pt;

        font-family:"Calibri",sans-serif;}

span.EmailStyle19

        {mso-style-type:personal-reply;

        font-family:"Calibri",sans-serif;

        color:windowtext;}

p.p1, li.p1, div.p1

        {mso-style-name:p1;

        margin:0in;

        font-size:9.0pt;

        font-family:Menlo;

        color:black;}

span.s1

        {mso-style-name:s1;}

span.apple-converted-space

        {mso-style-name:apple-converted-space;}

.MsoChpDefault

        {mso-style-type:export-only;

        font-size:10.0pt;}

@page WordSection1

        {size:8.5in 11.0in;

        margin:1.0in 1.0in 1.0in 1.0in;}

div.WordSection1

        {page:WordSection1;}

--></style><!--[if gte mso 9]><xml>

<o:shapedefaults v:ext="edit" spidmax="1026" />

</xml><![endif]--><!--[if gte mso 9]><xml>

<o:shapelayout v:ext="edit">

<o:idmap v:ext="edit" data="1" />

</o:shapelayout></xml><![endif]-->

</head>

<body lang="EN-US" link="#0563C1" vlink="#954F72" style="word-wrap:break-word">

<div class="WordSection1">

<p class="MsoNormal">Thanks Paul. The config for 2 private-or-clear sections seem to work  as desired. I haven’t run any traffic but  wanted to provide update as iCMP traffic works.<o:p></o:p></p>

<p class="p1"><span class="s1"><o:p> </o:p></span></p>

<p class="p1"><span class="s1">000 #21: "private-or-clear#192.168.0.0/20"[7] ...192.168.0.1:500 STATE_V2_ESTABLISHED_IKE_SA (established IKE SA); REKEY in 28490s; REPLACE in 28760s; newest; idle;</span><o:p></o:p></p>

<p class="p1"><span class="s1">000 #23: "private-or-clear#192.168.0.0/20"[7] ...192.168.0.1:500 STATE_V2_ESTABLISHED_CHILD_SA (established Child SA); REKEY in 28490s; REPLACE in 28760s; newest; eroute owner; IKE SA #21; idle;</span><o:p></o:p></p>

<p class="p1"><span class="s1">000 #23: "private-or-clear#192.168.0.0/20"[7] ...192.168.0.1 esp.2ce74258@192.168.0.1 esp.5ec5bed9@192.168.0.3 Traffic: ESPin=0B ESPout=256B ESPmax=2^63B</span><span class="apple-converted-space"> </span><o:p></o:p></p>

<p class="p1"><span class="s1">000 #24: "private-or-clear#192.168.0.0/20"[8] ...192.168.0.2:500 STATE_V2_ESTABLISHED_IKE_SA (established IKE SA); REKEY in 27823s; REPLACE in 28773s; newest; idle;</span><o:p></o:p></p>

<p class="p1"><span class="s1">000 #26: "private-or-clear#192.168.0.0/20"[8] ...192.168.0.2:500 STATE_V2_ESTABLISHED_CHILD_SA (established Child SA); REKEY in 27899s; REPLACE in 28773s; newest; eroute owner; IKE SA #24; idle;</span><o:p></o:p></p>

<p class="p1"><span class="s1">000 #26: "private-or-clear#192.168.0.0/20"[8] ...192.168.0.2 esp.48581d25@192.168.0.2 esp.f756432e@192.168.0.3 Traffic: ESPin=256B ESPout=256B ESPmax=2^63B</span><span class="apple-converted-space"> </span><o:p></o:p></p>

<p class="p1"><span class="s1">000 #25: "private-or-clear#192.168.0.0/20"[9] ...192.168.0.2:500 STATE_V2_PARENT_R1 (sent IKE_SA_INIT (or IKE_INTERMEDIATE) response); DISCARD in 172s; idle;</span><o:p></o:p></p>

<p class="p1"><span class="s1">000 #27: "private-or-clear-2#192.168.0.0/20"[6] ...192.168.0.2:500 STATE_V2_ESTABLISHED_IKE_SA (established IKE SA); REKEY in 28148s; REPLACE in 28790s; newest; idle;</span><o:p></o:p></p>

<p class="p1"><span class="s1">000 #28: "private-or-clear-2#192.168.0.0/20"[6] ...192.168.0.2:500 STATE_V2_ESTABLISHED_CHILD_SA (established Child SA); REKEY in 27943s; REPLACE in 28790s; newest; eroute owner; IKE SA #27; idle;</span><o:p></o:p></p>

<p class="p1"><span class="s1">000 #28: "private-or-clear-2#192.168.0.0/20"[6] ...192.168.0.2 esp.b13040cf@192.168.0.2 esp.774c0700@192.168.0.4 Traffic: ESPin=128B ESPout=128B ESPmax=2^63B</span><span class="apple-converted-space"> </span><o:p></o:p></p>

<p class="p1"><span class="s1">000 #29: "private-or-clear-2#192.168.0.0/20"[7] ...192.168.0.1:500 STATE_V2_ESTABLISHED_IKE_SA (established IKE SA); REKEY in 28254s; REPLACE in 28794s; newest; idle;</span><o:p></o:p></p>

<p class="p1"><span class="s1">000 #30: "private-or-clear-2#192.168.0.0/20"[7] ...192.168.0.1:500 STATE_V2_ESTABLISHED_CHILD_SA (established Child SA); REKEY in 28200s; REPLACE in 28794s; newest; eroute owner; IKE SA #29; idle;</span><o:p></o:p></p>

<p class="p1"><span class="s1">000 #30: "private-or-clear-2#192.168.0.0/20"[7] ...192.168.0.1 esp.c103f6fd@192.168.0.1 esp.9a1be691@192.168.0.4 Traffic: ESPin=128B ESPout=128B ESPmax=2^63B</span><span class="apple-converted-space"> </span><o:p></o:p></p>

<p class="MsoNormal"><o:p> </o:p></p>

<p class="MsoNormal"><o:p> </o:p></p>

<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">

<p class="MsoNormal" style="margin-bottom:12.0pt"><b><span style="font-size:12.0pt;color:black">From:

</span></b><span style="font-size:12.0pt;color:black">Paul Wouters <paul@nohats.ca><br>

<b>Date: </b>Tuesday, August 29, 2023 at 4:17 PM<br>

<b>To: </b>Mamta Gambhir <mamta.gambhir@oracle.com><br>

<b>Cc: </b>swan@lists.libreswan.org <swan@lists.libreswan.org><br>

<b>Subject: </b>Re: [External] : Re: [Swan] Question on opportunistic ipsec for multiple interfaces on same subnet<o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal">On Tue, 29 Aug 2023, Mamta Gambhir wrote:<br>

<br>

<br>

> <br>

>  <br>

> <br>

>  <br>

> <br>

> I was hoping  above should be working or will need changes too. I am using equivalent of libreswan 5.0.<br>

> <br>

> Though your suggestion of having multiple private (private/private2)sections will be most appropriate I wasn’t aware of that. Thank<br>

> you.I am assuming I  will need private2 policies file too.<br>

> <br>

> I am open to try and test the changes as needed in programs/pluto/foodgroups.c to make this work as our goal is to get above going.<br>

<br>

Actually, looking at the code it seems the hardcoded names for<br>

foodgroups has completely vanished.<br>

<br>

So I think you can do this:<br>

<br>

conn private-or-clear<br>

        authby=null<br>

        leftid=%null<br>

        rightid=%null<br>

        left=192.168.0.1<br>

        right=%opportunisticgroup<br>

        negotiationshunt=passthrough<br>

        failureshunt=passthrough<br>

        ikev2=insist<br>

        auto=route<br>

        type=transport<br>

<br>

conn private-or-clear-2<br>

        authby=null<br>

        leftid=%null<br>

        rightid=%null<br>

        left=192.168.0.2<br>

        right=%opportunisticgroup<br>

        negotiationshunt=passthrough<br>

        failureshunt=passthrough<br>

        ikev2=insist<br>

        auto=route<br>

        type=transport<br>

<br>

# /etc/ipsec.d/policies/private-or-clear<br>

192.168.0.0/24<br>

<br>

# /etc/ipsec.d/policies/private-or-clear-2<br>

192.168.0.0/24<br>

<br>

<br>

Let me know if that works?<br>

<br>

Paul<o:p></o:p></p>

</div>

</div>

</body>

</html>