On Wed, 11 Apr 2018, Mircea Troaca wrote:
libreswan + xl2tpd + a freeradius server. The problem occurs when two clients
from different networks with the same network (192.168.0.x) try to access the
server.
Client A: 192.168.0.101
-> he is the first who connects and it is succesful.
Client B: 192.168.0.101 (from different network, different location, using a
router that gives 192.168.0.x)
-> Virtual IP 192.168.0.101/32 overlaps with connection "L2TP-PSK-NAT"[11]
xxx.xxx.xxx.xxx (kind=CK_INSTANCE) 'xxx.xxx.xxx.xxx'
-> Kernel method 'netkey' does not support overlapping IP ranges
This should work, if you use marking to make each IPsec SA unique.
Try adding this to your connection:
overlapip=yes
mark=-1/0xffffffff
Paul
and the tunnel is not established...
here is my config of ipsec.conf
config setup
virtual-private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.150.0.0/24,%v4:!10.150.1.0/24
protostack=netkey
plutostderrlog=/var/log/ipsec.log
interfaces=%defaultroute
uniqueids=no
include /etc/ipsec.d/l2tp-psk.conf
and here is the config of l2tp-psk.conf
conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT
ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024,aes256-sha2_512
phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes256-sha2_512
sha2-truncbug=yes
conn L2TP-PSK-noNAT
# Use a Preshared Key. Disable Perfect Forward Secrecy.
authby=secret
pfs=no
auto=add
keyingtries=3
# we cannot rekey for %any, let client rekey
rekey=no
# Apple iOS doesn't send delete notify so we need dead peer detection
# to detect vanishing clients
dpddelay=10
dpdtimeout=90
dpdaction=clear
# Set ikelifetime and keylife to same defaults windows has
ikelifetime=8h
keylife=1h
# l2tp-over-ipsec is transport mode
type=transport
#
# left will be filled in automatically with the local address of the
default-route interface (as determined at IPsec startup time).
left=%defaultroute
#
# For updated Windows 2000/XP clients,
# to support old clients as well, use leftprotoport=17/%any
leftprotoport=17/1701
#
# The remote user.
#
right=%any
# Using the magic port of "%any" means "any one single port". This is
# a work around required for Apple OSX clients that use a randomly
# high port.
rightprotoport=17/%any
Thank you in advice!
_______________________________________________
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan