On Thu, 12 Apr 2018, Mircea Troaca wrote:

Try the attached patch.

Paul

Date: Thu, 12 Apr 2018 12:00:48
From: Mircea Troaca <mircea.tro...@net.ase.ro>
To: swan@lists.libreswan.org
Subject: [Swan] Fwd:  Overlapping IP ranges


---------- Forwarded message ----------
From: Mircea Troaca <mircea.tro...@net.ase.ro>
Date: 2018-04-12 18:56 GMT+03:00
Subject: Re: [Swan] Overlapping IP ranges
To: Paul Wouters <p...@nohats.ca>


I tried with overlapip=yes, when I add that to my connection, clients can 
connect well, but the same error, overlaps with connection bla bla bla..After I 
added mark= -1/0xffffffff,
clients can't connect anymore..

2018-04-12 17:09 GMT+03:00 Paul Wouters <p...@nohats.ca>:
      On Wed, 11 Apr 2018, Mircea Troaca wrote:

            libreswan + xl2tpd + a freeradius server. The problem occurs when 
two clients from different networks with the same network (192.168.0.x) try to 
access the
            server.

            Client A: 192.168.0.101
                 -> he is the first who connects and it is succesful.

            Client B: 192.168.0.101 (from different network, different 
location, using a router that gives 192.168.0.x)
                 -> Virtual IP 192.168.0.101/32 overlaps with connection 
"L2TP-PSK-NAT"[11] xxx.xxx.xxx.xxx (kind=CK_INSTANCE) 'xxx.xxx.xxx.xxx'
                 -> Kernel method 'netkey' does not support overlapping IP 
ranges


      This should work, if you use marking to make each IPsec SA unique.

      Try adding this to your connection:

              overlapip=yes
              mark=-1/0xffffffff

      Paul

            and the tunnel is not established...


            here is my config of ipsec.conf

            config setup
              
virtual-private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.150.0.0/24,%v4:!10.150.1.0/24
              protostack=netkey
              plutostderrlog=/var/log/ipsec.log
              interfaces=%defaultroute
              uniqueids=no

            include /etc/ipsec.d/l2tp-psk.conf


            and here is the config of l2tp-psk.conf

            conn L2TP-PSK-NAT
                    rightsubnet=vhost:%priv
                    also=L2TP-PSK-noNAT
                
ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024,aes256-sha2_512
                phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes256-sha2_512
                sha2-truncbug=yes

            conn L2TP-PSK-noNAT
                    # Use a Preshared Key. Disable Perfect Forward Secrecy.
                    authby=secret
                    pfs=no
                    auto=add
                    keyingtries=3
                    # we cannot rekey for %any, let client rekey
                    rekey=no
                    # Apple iOS doesn't send delete notify so we need dead peer 
detection
                    # to detect vanishing clients
                    dpddelay=10
                    dpdtimeout=90
                    dpdaction=clear
                    # Set ikelifetime and keylife to same defaults windows has
                    ikelifetime=8h
                    keylife=1h
                    # l2tp-over-ipsec is transport mode
                    type=transport
                    #
                    # left will be filled in automatically with the local 
address of the default-route interface (as determined at IPsec startup time).
                    left=%defaultroute
                    #
                    # For updated Windows 2000/XP clients,
                    # to support old clients as well, use leftprotoport=17/%any
                    leftprotoport=17/1701
                    #
                    # The remote user.
                    #
                    right=%any
                    # Using the magic port of "%any" means "any one single 
port". This is
                    # a work around required for Apple OSX clients that use a 
randomly
                    # high port.
                    rightprotoport=17/%any


            Thank you in advice!





diff --git a/programs/pluto/kernel_netlink.c b/programs/pluto/kernel_netlink.c
index 8e1ff2799..7d44e1516 100644
--- a/programs/pluto/kernel_netlink.c
+++ b/programs/pluto/kernel_netlink.c
@@ -2992,7 +2992,7 @@ const struct kernel_ops netkey_kernel_ops = {
         * if netlink  specific changes are needed.
         */
        .remove_orphaned_holds = NULL, /* only used for klips /proc scanner */
-       .overlap_supported = FALSE,
+       .overlap_supported = TRUE,
        .sha2_truncbug_support = TRUE,
        .v6holes = netlink_v6holes,
 };
_______________________________________________
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan

Reply via email to