Hello guys, I am new to libreswan and I am trying to make a vpn server for production. Everything is working like a charm on a Debian 9 (kernel 4.9.0). Users connect to the vpn server via ipsec by libreswan + xl2tpd + a freeradius server. The problem occurs when two clients from different networks with the same network (192.168.0.x) try to access the server.
Client A: 192.168.0.101 -> he is the first who connects and it is succesful. Client B: 192.168.0.101 (from different network, different location, using a router that gives 192.168.0.x) -> Virtual IP 192.168.0.101/32 overlaps with connection "L2TP-PSK-NAT"[11] xxx.xxx.xxx.xxx (kind=CK_INSTANCE) 'xxx.xxx.xxx.xxx' -> Kernel method 'netkey' does not support overlapping IP ranges and the tunnel is not established... here is my config of ipsec.conf config setup virtual-private=%v4: 10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.150.0.0/24,%v4:!10.150.1.0/24 protostack=netkey plutostderrlog=/var/log/ipsec.log interfaces=%defaultroute uniqueids=no include /etc/ipsec.d/l2tp-psk.conf and here is the config of l2tp-psk.conf conn L2TP-PSK-NAT rightsubnet=vhost:%priv also=L2TP-PSK-noNAT ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024,aes256-sha2_512 phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes256-sha2_512 sha2-truncbug=yes conn L2TP-PSK-noNAT # Use a Preshared Key. Disable Perfect Forward Secrecy. authby=secret pfs=no auto=add keyingtries=3 # we cannot rekey for %any, let client rekey rekey=no # Apple iOS doesn't send delete notify so we need dead peer detection # to detect vanishing clients dpddelay=10 dpdtimeout=90 dpdaction=clear # Set ikelifetime and keylife to same defaults windows has ikelifetime=8h keylife=1h # l2tp-over-ipsec is transport mode type=transport # # left will be filled in automatically with the local address of the default-route interface (as determined at IPsec startup time). left=%defaultroute # # For updated Windows 2000/XP clients, # to support old clients as well, use leftprotoport=17/%any leftprotoport=17/1701 # # The remote user. # right=%any # Using the magic port of "%any" means "any one single port". This is # a work around required for Apple OSX clients that use a randomly # high port. rightprotoport=17/%any Thank you in advice!
_______________________________________________ Swan mailing list Swan@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan