Re: [Swan] Setup multiple IPSec tunnels to remote site with same protected networks

Thu, 15 Jul 2021 08:28:35 -0700 

Add overlapip=yes to both connections and see if that is enough ?

Sent using a virtual keyboard on a phone

> On Jul 15, 2021, at 10:55, Wei Huang <[email protected]> wrote:
> 
> 
> I tried to set up 2 IPSec tunnels to remote site with same protected 
> networks. Only one tunnel can be fully setup. The other one got the following 
> error message:
> Jul 13 21:58:48.166338: "MPLS_Group_2" #26: cannot route -- route already in 
> use for "MPLS_Group_1"
> Jul 13 21:58:48.166352: "MPLS_Group_2" #26: encountered fatal error in state 
> STATE_PARENT_I2
> 
> Is this use case supported in libreswan? If yes, what do I need to do? Iam 
> using Libreswan 3.32.
> 
> My side's config:
> conn MPLS_Group_1
> left=10.0.0.6
> leftsubnet=10.0.0.0/16
> 
> right=10.104.0.100
> rightsubnet=10.104.0.0/16
> 
> authby=secret
> nat-keepalive=yes
> auto=start
> rekey=yes
> ikev2=yes
> ike=aes128-sha2;dh5
> ikelifetime=3600
> dpdtimeout=300
> dpddelay=15
> phase2=esp
> phase2alg=aes_gcm256-null
> pfs=no
> salifetime=86400
> 
> conn MPLS_Group_2
> left=10.0.0.6
> leftsubnet=10.0.0.0/16
> 
> right=10.104.0.101
> rightsubnet=10.104.0.0/16
> 
> authby=secret
> nat-keepalive=yes
> auto=start
> rekey=yes
> ikev2=yes
> ike=aes128-sha2;dh5
> ikelifetime=3600
> dpdtimeout=300
> dpddelay=15
> phase2=esp
> phase2alg=aes_gcm256-null
> pfs=no
> salifetime=86400
> 
> 
> Remote site is 2 VMs, each has StrongSwan running. 
> Config on VM1:
> conn talari
>         left=10.104.0.101
>         leftid=10.104.0.101
>         leftsubnet=10.104.1.0/16
>         leftauth=psk
> 
>         right=10.0.0.6
>         rightid=10.0.0.6
>         rightsubnet=10.0.0.0/16
>         rightauth=psk
>         auto=start
>         ike=aes128-sha1-modp1536
>         esp=aes256gcm16
> 
> Config on VM2:
> conn talari
>         left=10.104.0.100
>         leftid=10.104.0.100
>         leftsubnet=10.104.1.0/16
>         leftauth=psk
> 
>         right=10.0.0.6
>         rightid=10.0.0.6
>         rightsubnet=10.0.0.0/16
>         rightauth=psk
>         auto=start
>         ike=aes128-sha1-modp1536
>         esp=aes256gcm16
> 
> 
> Thanks,
> Wei
> _______________________________________________
> Swan mailing list
> [email protected]
> https://lists.libreswan.org/mailman/listinfo/swan

_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan

Reply via email to