Re: [Swan] Overlapping IP ranges

Thu, 12 Apr 2018 07:09:55 -0700 

On Wed, 11 Apr 2018, Mircea Troaca wrote:


libreswan + xl2tpd + a freeradius server. The problem occurs when two clients 
from different networks with the same network (192.168.0.x) try to access the 
server.

Client A: 192.168.0.101
     -> he is the first who connects and it is succesful.

Client B: 192.168.0.101 (from different network, different location, using a 
router that gives 192.168.0.x)
     -> Virtual IP 192.168.0.101/32 overlaps with connection "L2TP-PSK-NAT"[11] 
xxx.xxx.xxx.xxx (kind=CK_INSTANCE) 'xxx.xxx.xxx.xxx'
     -> Kernel method 'netkey' does not support overlapping IP ranges


This should work, if you use marking to make each IPsec SA unique.

Try adding this to your connection:

        overlapip=yes
        mark=-1/0xffffffff

Paul


and the tunnel is not established...


here is my config of ipsec.conf

config setup
  
virtual-private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.150.0.0/24,%v4:!10.150.1.0/24
  protostack=netkey
  plutostderrlog=/var/log/ipsec.log
  interfaces=%defaultroute
  uniqueids=no

include /etc/ipsec.d/l2tp-psk.conf


and here is the config of l2tp-psk.conf

conn L2TP-PSK-NAT
        rightsubnet=vhost:%priv
        also=L2TP-PSK-noNAT
    
ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024,aes256-sha2_512
    phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes256-sha2_512
    sha2-truncbug=yes

conn L2TP-PSK-noNAT
        # Use a Preshared Key. Disable Perfect Forward Secrecy.
        authby=secret
        pfs=no
        auto=add
        keyingtries=3
        # we cannot rekey for %any, let client rekey
        rekey=no
        # Apple iOS doesn't send delete notify so we need dead peer detection
        # to detect vanishing clients
        dpddelay=10
        dpdtimeout=90
        dpdaction=clear
        # Set ikelifetime and keylife to same defaults windows has
        ikelifetime=8h
        keylife=1h
        # l2tp-over-ipsec is transport mode
        type=transport
        #
        # left will be filled in automatically with the local address of the 
default-route interface (as determined at IPsec startup time).
        left=%defaultroute
        #
        # For updated Windows 2000/XP clients,
        # to support old clients as well, use leftprotoport=17/%any
        leftprotoport=17/1701
        #
        # The remote user.
        #
        right=%any
        # Using the magic port of "%any" means "any one single port". This is
        # a work around required for Apple OSX clients that use a randomly
        # high port.
        rightprotoport=17/%any


Thank you in advice!



_______________________________________________
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan

Reply via email to