---------- Forwarded message ---------- From: Mircea Troaca <mircea.tro...@net.ase.ro> Date: 2018-04-12 18:56 GMT+03:00 Subject: Re: [Swan] Overlapping IP ranges To: Paul Wouters <p...@nohats.ca>
I tried with overlapip=yes, when I add that to my connection, clients can connect well, but the same error, overlaps with connection bla bla bla.. After I added mark= -1/0xffffffff, clients can't connect anymore.. 2018-04-12 17:09 GMT+03:00 Paul Wouters <p...@nohats.ca>: > On Wed, 11 Apr 2018, Mircea Troaca wrote: > > libreswan + xl2tpd + a freeradius server. The problem occurs when two >> clients from different networks with the same network (192.168.0.x) try to >> access the server. >> >> Client A: 192.168.0.101 >> -> he is the first who connects and it is succesful. >> >> Client B: 192.168.0.101 (from different network, different location, >> using a router that gives 192.168.0.x) >> -> Virtual IP 192.168.0.101/32 overlaps with connection >> "L2TP-PSK-NAT"[11] xxx.xxx.xxx.xxx (kind=CK_INSTANCE) 'xxx.xxx.xxx.xxx' >> -> Kernel method 'netkey' does not support overlapping IP ranges >> > > This should work, if you use marking to make each IPsec SA unique. > > Try adding this to your connection: > > overlapip=yes > mark=-1/0xffffffff > > Paul > > > and the tunnel is not established... >> >> >> here is my config of ipsec.conf >> >> config setup >> virtual-private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16 >> .0.0/12,%v4:!10.150.0.0/24,%v4:!10.150.1.0/24 >> protostack=netkey >> plutostderrlog=/var/log/ipsec.log >> interfaces=%defaultroute >> uniqueids=no >> >> include /etc/ipsec.d/l2tp-psk.conf >> >> >> and here is the config of l2tp-psk.conf >> >> conn L2TP-PSK-NAT >> rightsubnet=vhost:%priv >> also=L2TP-PSK-noNAT >> ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2, >> aes-sha2;modp1024,aes256-sha2_512 >> phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes256-sha2_512 >> sha2-truncbug=yes >> >> conn L2TP-PSK-noNAT >> # Use a Preshared Key. Disable Perfect Forward Secrecy. >> authby=secret >> pfs=no >> auto=add >> keyingtries=3 >> # we cannot rekey for %any, let client rekey >> rekey=no >> # Apple iOS doesn't send delete notify so we need dead peer >> detection >> # to detect vanishing clients >> dpddelay=10 >> dpdtimeout=90 >> dpdaction=clear >> # Set ikelifetime and keylife to same defaults windows has >> ikelifetime=8h >> keylife=1h >> # l2tp-over-ipsec is transport mode >> type=transport >> # >> # left will be filled in automatically with the local address of >> the default-route interface (as determined at IPsec startup time). >> left=%defaultroute >> # >> # For updated Windows 2000/XP clients, >> # to support old clients as well, use leftprotoport=17/%any >> leftprotoport=17/1701 >> # >> # The remote user. >> # >> right=%any >> # Using the magic port of "%any" means "any one single port". >> This is >> # a work around required for Apple OSX clients that use a randomly >> # high port. >> rightprotoport=17/%any >> >> >> Thank you in advice! >> >> >>
_______________________________________________ Swan mailing list Swan@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan