[Swan] Question on opportunistic ipsec for multiple interfaces on same subnet

Sun, 27 Aug 2023 16:08:28 -0700 

How can I add multiple interfaces setup for opportunistic ipsec via .conf file. 
I am able to successfully use it for one interface(using 
private,clear-or-private, or private-or-clear), but in my configuration each 
machine participating has two interfaces and both on same subnet.
Following works-

# cat /etc/ipsec.d/ExaNoCert.conf

conn clear-or-private

        authby=null

        leftid=%null

        rightid=%null

        left=192.168.0.1

        right=%opportunisticgroup

        negotiationshunt=passthrough

        failureshunt=passthrough

        ikev2=insist

        auto=route

        type=transport

# cat /etc/ipsec.d/policies/clear-or-private

192.168.0.0/20



00 #1: "clear-or-private#192.168.0.0/20"[1] ...192.168.0.3:500 
STATE_V2_ESTABLISHED_IKE_SA (established IKE SA); REKEY in 28244s; REPLACE in 
28794s; newest; idle;

000 #2: "clear-or-private#192.168.0.0/20"[1] ...192.168.0.3:500 
STATE_V2_ESTABLISHED_CHILD_SA (established Child SA); REKEY in 28103s; REPLACE 
in 28794s; newest; eroute owner; IKE SA #1; idle;

000 #2: "clear-or-private#192.168.0.0/20"[1] ...192.168.0.3 
[email protected] [email protected] Traffic: ESPin=64B ESPout=64B 
ESPmax=2^63B

000


All nodes have two interfaces and each interface can communicate

# ip a s

3: re0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 2300 qdisc mq state UP group 
default qlen 1000

    link/ether 0c:42:a1:a4:30:06 brd ff:ff:ff:ff:ff:ff

    altname enp23s0f0np0

    altname ens5f0np0

    inet 192.168.0.1/20 brd 192.168.15.255 scope global noprefixroute re0

       valid_lft forever preferred_lft forever

4: re1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 2300 qdisc mq state UP group 
default qlen 1000

    link/ether 0c:42:a1:a4:30:07 brd ff:ff:ff:ff:ff:ff

    altname enp23s0f1np1

    altname ens5f1np1

    inet 192.168.0.2/20 brd 192.168.15.255 scope global noprefixroute re1

       valid_lft forever preferred_lft forever





I have even tried to have 192.168.0.1 as private and 192.168.0.2 as 
clear-or-private as I couldn’t figure out how to add to private-or-clear 
sections in .conf but I am unable to have this negotiation successful for more 
than one interface.



000 #1: "private-or-clear#192.168.0.0/20"[1] ...192.168.0.1:500 
STATE_V2_ESTABLISHED_IKE_SA (established IKE SA); REKEY in 152s; REPLACE in 
1064s; newest; idle;

000 #3: "private-or-clear#192.168.0.0/20"[1] ...192.168.0.1:500 
STATE_V2_ESTABLISHED_CHILD_SA (established Child SA); REKEY in 98s; REPLACE in 
1064s; newest; eroute owner; IKE SA #1; idle;

000 #3: "private-or-clear#192.168.0.0/20"[1] ...192.168.0.1 
[email protected] [email protected] Traffic: ESPin=256B 
ESPout=256B ESPmax=2^63B

000 #2: "private-or-clear#192.168.0.0/20"[2] ...192.168.0.1:500 
STATE_V2_PARENT_R1 (sent IKE_SA_INIT (or IKE_INTERMEDIATE) response); DISCARD 
in 183s; idle;

000 #4: "private-or-clear#192.168.0.0/20"[3] ...192.168.0.2:500 
STATE_V2_PARENT_I1 (sent IKE_SA_INIT request); RETRANSMIT in 6s; idle;

000 #4: pending CHILD SA for "private-or-clear#192.168.0.0/20"[3] ...192.168.0.2

000


Any tips or advise will be highly appreciated.
Thanks
Mamta

_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan

Reply via email to