Dear Paul,Thank you for the fast reply. I will clarify my question.I was able to configure Host-To-Host for the interface eth0 without any problem. Also, I was able to create new pair of certificates for the interface eth1 and configure it using the following commands: ipsec newhostkey --configdir /etc/ipsec.d --output /etc/ipsec.d/site2.secretsipsec showhostkey –leftipsec showhostkey –right You can see the configuration below. I can add channel, but when I try to “up” it I see the following errors: “multiple ipsec.secrets entries with distinct secrets match endpoints: first secret used”. See below the error output. Finally the tunnel can not be started.How can I resolve the problem and to configure 2 tunnels that connects same servers? Thank you for your help in advance! The configuration:conn ha_eth1 [email protected] left=172.17.0.1 # rsakey AQPe4BcQY leftrsasigkey=0…UQ== [email protected] right=172.17.0.2 # rsakey AQPRLsAVt rightrsasigkey=0…szi3 authby=rsasig ike=aes256-sha2_256;modp2048 phase2alg=aes256-sha2_256;modp2048 sha2_truncbug=yes # load and initiate automatically auto=start The error output: [root@ ipsec.d]# ipsec auto --add "ha_eth1"002 "ha_eth1": deleting connection002 "ha_eth1" #9: deleting state (STATE_MAIN_I3)002 "ha_eth1" #10: deleting state (STATE_MAIN_R2)002 added connection description "ha_eth1"[root@ ipsec.d]# ipsec auto --up "ha_eth1"002 "ha_eth1" #11: initiating Main Mode104 "ha_eth1" #11: STATE_MAIN_I1: initiate003 "ha_eth1" #11: received Vendor ID payload [Dead Peer Detection]003 "ha_eth1" #11: received Vendor ID payload [FRAGMENTATION]003 "ha_eth1" #11: received Vendor ID payload [RFC 3947]002 "ha_eth1" #11: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)002 "ha_eth1" #11: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2106 "ha_eth1" #11: STATE_MAIN_I2: sent MI2, expecting MR2003 "ha_eth1" #11: NAT-Traversal: Result using RFC 3947 (NAT-Traversal) sender port 500: no NAT detected003 "ha_eth1" #11: multiple ipsec.secrets entries with distinct secrets match endpoints: first secret used002 "ha_eth1" #11: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3108 "ha_eth1" #11: STATE_MAIN_I3: sent MI3, expecting MR3003 "ha_eth1" #11: ignoring informational payload INVALID_KEY_INFORMATION, msgid=00000000, length=12003 "ha_eth1" #11: received and ignored informational message003 "ha_eth1" #11: discarding duplicate packet; already STATE_MAIN_I3010 "ha_eth1" #11: STATE_MAIN_I3: retransmission; will wait 10s for response003 "ha_eth1" #11: ignoring informational payload INVALID_KEY_INFORMATION, msgid=00000000, length=12003 "ha_eth1" #11: received and ignored informational message003 "ha_eth1" #11: discarding duplicate packet; already STATE_MAIN_I3010 "ha_eth1" #11: STATE_MAIN_I3: retransmission; will wait 20s for response003 "ha_eth1" #11: ignoring informational payload INVALID_KEY_INFORMATION, msgid=00000000, length=12003 "ha_eth1" #11: received and ignored informational message031 "ha_eth1" #11: max number of retransmissions (2) reached STATE_MAIN_I3. Possible authentication failure: no acceptable response to our first encrypted message000 "ha_eth1" #11: starting keying attempt 2 of an unlimited number, but releasing whack
> Date: Mon, 16 May 2016 15:59:38 -0400 > From: [email protected] > To: [email protected] > CC: [email protected] > Subject: Re: [Swan] Host-To-Host VPN with multiply interfaces > > On Mon, 16 May 2016, Michael Furman wrote: > > > My question how to configure leftrsasigkey and rightrsasigkey. > > You can see an example in the wiki at: > > https://libreswan.org/wiki/Host_to_host_VPN > > > But how can I configure what file to take (site1.secrets or site2.secrets) > > in the following command? > > libreswan loads all /etc/ipsec.d/*.secrets files automatically (via an > include statement in /etc/ipsec.secrets. See the above wiki page on > how to configure these public keys into a *.conf file. > > Please note that libreswan-3.17 has a bug when generating raw keys, > please use 3.16 for now if generating new rsa keys. > > Paul
_______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
