try adding overlapip=yes to both connections.
(soon this behaviour will be the default, and the option will be ignored) Paul On Wed, 29 Sep 2021, Dave Houser wrote:
Date: Wed, 29 Sep 2021 14:31:14 From: Dave Houser <[email protected]> To: [email protected] Subject: [Swan] Looking for backup "rightsubnet" ipsec connection solution X-Spam-Flag: NO libreswan will not allow identical rightsubnet settings to overlap between ipsec configurations.Here is my current topology: | Juniper VSRX01 | ---------| ens4(vti01) - CentOS libreswan - ens4(vti02) |--------- | Juniper VSRX02 | Here is my current configuration: conn to-vsrx-01 auto=start authby=secret ike=aes256-sha2_256;dh20 esp=aes256-sha2_256 left=2.2.0.2 leftid=2.2.0.2 leftsubnet=172.21.0.0/29 leftupdown=/opt/_updown_vti01 right=3.3.0.2 rightsubnet=0.0.0.0/0 salifetime=300s conn to-vsrx-02 auto=start authby=secret ike=aes256-sha2_256;dh20 esp=aes256-sha2_256 left=2.2.0.2 leftid=2.2.0.2 leftsubnet=172.22.0.0/29 leftupdown=/opt/_updown_vti02 right=3.3.1.2 rightsubnet=0.0.0.0/0 salifetime=300s If you notice I have "rightsubnet=0.0.0.0/0" in both configs. Obviously this will not work. I see the following when trying to turn up to-vsrx-02 after turning up to-vsrx-01. As you can see " 003 "to-vsrx-02" #1340: cannot route -- route already in use for "to-vsrx-01"" appears for the to-vsrx-02 connection. # ipsec auto --up to-vsrx-01 181 "to-vsrx-01" #1337: initiating IKEv2 connection 181 "to-vsrx-01" #1337: sent IKE_SA_INIT request 182 "to-vsrx-01" #1337: sent IKE_AUTH request {cipher=AES_CBC_256 integ=HMAC_SHA2_256_128 prf=HMAC_SHA2_256 group=DH20} 003 "to-vsrx-01" #1337: established IKE SA; authenticated using authby=secret and peer ID_IPV4_ADDR '3.3.0.2' 002 "to-vsrx-01" #1338: up-client output: net.ipv4.conf.vti01.disable_policy = 1 002 "to-vsrx-01" #1338: up-client output: net.ipv4.conf.vti01.rp_filter = 0 002 "to-vsrx-01" #1338: up-client output: net.ipv4.conf.vti01.forwarding = 1 004 "to-vsrx-01" #1338: established Child SA; IPsec tunnel [172.21.0.0-172.21.0.7:0-65535 0] -> [0.0.0.0-255.255.255.255:0-65535 0] {ESP=>0x94d8850e <0x47c32cc8 xfrm=AES_CBC_256-HMAC_SHA2_256_128 NATOA=none NATD=none DPD=passive} # ipsec auto --up to-vsrx-02 181 "to-vsrx-02" #1339: initiating IKEv2 connection 181 "to-vsrx-02" #1339: sent IKE_SA_INIT request 182 "to-vsrx-02" #1339: sent IKE_AUTH request {cipher=AES_CBC_256 integ=HMAC_SHA2_256_128 prf=HMAC_SHA2_256 group=DH20} 003 "to-vsrx-02" #1339: established IKE SA; authenticated using authby=secret and peer ID_IPV4_ADDR '3.3.1.2' 003 "to-vsrx-02" #1340: cannot route -- route already in use for "to-vsrx-01" 003 "to-vsrx-02" #1340: CHILD SA encountered fatal error: INVALID_SYNTAX 036 "to-vsrx-02" #1339: encountered fatal error in state STATE_V2_ESTABLISHED_IKE_SA 003 "to-vsrx-02" #1340: ERROR: netlink response for Del SA [email protected] included errno 3: No such process 002 "to-vsrx-02" #1339: deleting state (STATE_V2_ESTABLISHED_IKE_SA) aged 0.03894s and NOT sending notification 002 "to-vsrx-02" #1339: deleting IKE SA but connection is supposed to remain up; schedule EVENT_REVIVE_CONNS I want to use to-vsrx-02 as a backup ipsec tunnel. I thought I could set a higher metric for 0.0.0.0/0 in my routing table (which I can) but libreswan refuses to stand up the tunnel as to-vsrx-01 has the same entry for rightsubnet. What options do I have for setting up a backup ipsec tunnel in libreswan? I read a little bit about "mobike" but its not clear how to use it or apply it to a configuration other than setting "mobike=yes" in my config, or if I need to do something special on the far end SA connection. Also documentation says using mobike with a VTI maybe a problem. Is there any solution out there I can use? - Dave
_______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
