[Swan] Libreswan configurguration with alsoflip is not working as expected

Thu, 25 Apr 2019 01:56:22 -0700 

Hello,

I’m currently trying to get libreswan to work with multiple conn sections which 
I reference with also and alsoflip.
The current layout is:

Connection file - References a ike template file with also
Gateway file left – References a conn which has all the details for the left 
site using “also”
Gateway file right – References a conn which has all the details for the right 
site using “alsoflip”

The gateway file use for all their settings the left options.
When I load the connection, it gets loaded but it does not detect the 
right-hand values, instead it put the right-hand values to %any%. When I 
manually change the values in the right gateway to “right” and include it with 
also then it works as expected, but this way I have to keep track where which 
gateway is used on which site. I thought alsoflip would take care of this. I’m 
I doing something wrong?

Below are some examples
Connection:

conn test
      auto=add
      authby=secret
      also=nodegrid
      also=DC2
      alsoflip=DC1

Gateways
conn DC2
      leftid=@DC2
      left=192.168.10.73
      leftsourceip=192.168.160.10
      leftsubnet=192.168.160.10/24

conn DC1
      leftid=@DC1
      left=192.168.1.1
      leftsourceip=192.168.2.1
      leftsubnet=192.168.2.1/24

ipsec status after the connection was added
000 "test": 192.168.160.0/24===192.168.10.73<192.168.10.73>[@DC2]...%any; 
unrouted; eroute owner: #0
000 "test":     oriented; my_ip=192.168.160.10; their_ip=unset
000 "test":   xauth us:none, xauth them:none,  my_username=[any]; 
their_username=[any]
000 "test":   our auth:secret, their auth:secret
000 "test":   modecfg info: us:none, them:none, modecfg policy:push, 
dns1:unset, dns2:unset, domain:unset, banner:unset, cat:unset;
000 "test":   labeled_ipsec:no;
000 "test":   policy_label:unset;
000 "test":   ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; 
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;
000 "test":   retransmit-interval: 500ms; retransmit-timeout: 60s;
000 "test":   sha2-truncbug:no; initial-contact:no; cisco-unity:no; 
fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "test":   policy: 
PSK+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;
000 "test":   conn_prio: 24,0; interface: eth1; metric: 0; mtu: unset; 
sa_prio:auto; sa_tfc:none;
000 "test":   nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; 
vti-shared:no;
000 "test":   newest ISAKMP SA: #0; newest IPsec SA: #0;
Thank you for your help
Rene


_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan

Reply via email to