Thanks Paul. The config for 2 private-or-clear sections seem to work as desired. I haven’t run any traffic but wanted to provide update as iCMP traffic works.
000 #21: "private-or-clear#192.168.0.0/20"[7] ...192.168.0.1:500 STATE_V2_ESTABLISHED_IKE_SA (established IKE SA); REKEY in 28490s; REPLACE in 28760s; newest; idle; 000 #23: "private-or-clear#192.168.0.0/20"[7] ...192.168.0.1:500 STATE_V2_ESTABLISHED_CHILD_SA (established Child SA); REKEY in 28490s; REPLACE in 28760s; newest; eroute owner; IKE SA #21; idle; 000 #23: "private-or-clear#192.168.0.0/20"[7] ...192.168.0.1 [email protected] [email protected] Traffic: ESPin=0B ESPout=256B ESPmax=2^63B 000 #24: "private-or-clear#192.168.0.0/20"[8] ...192.168.0.2:500 STATE_V2_ESTABLISHED_IKE_SA (established IKE SA); REKEY in 27823s; REPLACE in 28773s; newest; idle; 000 #26: "private-or-clear#192.168.0.0/20"[8] ...192.168.0.2:500 STATE_V2_ESTABLISHED_CHILD_SA (established Child SA); REKEY in 27899s; REPLACE in 28773s; newest; eroute owner; IKE SA #24; idle; 000 #26: "private-or-clear#192.168.0.0/20"[8] ...192.168.0.2 [email protected] [email protected] Traffic: ESPin=256B ESPout=256B ESPmax=2^63B 000 #25: "private-or-clear#192.168.0.0/20"[9] ...192.168.0.2:500 STATE_V2_PARENT_R1 (sent IKE_SA_INIT (or IKE_INTERMEDIATE) response); DISCARD in 172s; idle; 000 #27: "private-or-clear-2#192.168.0.0/20"[6] ...192.168.0.2:500 STATE_V2_ESTABLISHED_IKE_SA (established IKE SA); REKEY in 28148s; REPLACE in 28790s; newest; idle; 000 #28: "private-or-clear-2#192.168.0.0/20"[6] ...192.168.0.2:500 STATE_V2_ESTABLISHED_CHILD_SA (established Child SA); REKEY in 27943s; REPLACE in 28790s; newest; eroute owner; IKE SA #27; idle; 000 #28: "private-or-clear-2#192.168.0.0/20"[6] ...192.168.0.2 [email protected] [email protected] Traffic: ESPin=128B ESPout=128B ESPmax=2^63B 000 #29: "private-or-clear-2#192.168.0.0/20"[7] ...192.168.0.1:500 STATE_V2_ESTABLISHED_IKE_SA (established IKE SA); REKEY in 28254s; REPLACE in 28794s; newest; idle; 000 #30: "private-or-clear-2#192.168.0.0/20"[7] ...192.168.0.1:500 STATE_V2_ESTABLISHED_CHILD_SA (established Child SA); REKEY in 28200s; REPLACE in 28794s; newest; eroute owner; IKE SA #29; idle; 000 #30: "private-or-clear-2#192.168.0.0/20"[7] ...192.168.0.1 [email protected] [email protected] Traffic: ESPin=128B ESPout=128B ESPmax=2^63B From: Paul Wouters <[email protected]> Date: Tuesday, August 29, 2023 at 4:17 PM To: Mamta Gambhir <[email protected]> Cc: [email protected] <[email protected]> Subject: Re: [External] : Re: [Swan] Question on opportunistic ipsec for multiple interfaces on same subnet On Tue, 29 Aug 2023, Mamta Gambhir wrote: > > > > > > I was hoping above should be working or will need changes too. I am using > equivalent of libreswan 5.0. > > Though your suggestion of having multiple private (private/private2)sections > will be most appropriate I wasn’t aware of that. Thank > you.I am assuming I will need private2 policies file too. > > I am open to try and test the changes as needed in > programs/pluto/foodgroups.c to make this work as our goal is to get above > going. Actually, looking at the code it seems the hardcoded names for foodgroups has completely vanished. So I think you can do this: conn private-or-clear authby=null leftid=%null rightid=%null left=192.168.0.1 right=%opportunisticgroup negotiationshunt=passthrough failureshunt=passthrough ikev2=insist auto=route type=transport conn private-or-clear-2 authby=null leftid=%null rightid=%null left=192.168.0.2 right=%opportunisticgroup negotiationshunt=passthrough failureshunt=passthrough ikev2=insist auto=route type=transport # /etc/ipsec.d/policies/private-or-clear 192.168.0.0/24 # /etc/ipsec.d/policies/private-or-clear-2 192.168.0.0/24 Let me know if that works? Paul
_______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
