Re: [Swan] [External] : Re: Setup multiple IPSec tunnels to remote site with same protected networks

Thu, 15 Jul 2021 11:44:25 -0700 

Thanks Paul, this works.

Wei
________________________________
From: Paul Wouters <[email protected]>
Sent: Thursday, July 15, 2021 11:28 AM
To: Wei Huang <[email protected]>
Cc: [email protected] <[email protected]>
Subject: [External] : Re: [Swan] Setup multiple IPSec tunnels to remote site 
with same protected networks

Add overlapip=yes to both connections and see if that is enough ?

Sent using a virtual keyboard on a phone

On Jul 15, 2021, at 10:55, Wei Huang <[email protected]> wrote:


I tried to set up 2 IPSec tunnels to remote site with same protected networks. 
Only one tunnel can be fully setup. The other one got the following error 
message:
Jul 13 21:58:48.166338: "MPLS_Group_2" #26: cannot route -- route already in 
use for "MPLS_Group_1"
Jul 13 21:58:48.166352: "MPLS_Group_2" #26: encountered fatal error in state 
STATE_PARENT_I2

Is this use case supported in libreswan? If yes, what do I need to do? Iam 
using Libreswan 3.32.

My side's config:
conn MPLS_Group_1
left=10.0.0.6
leftsubnet=10.0.0.0/16

right=10.104.0.100
rightsubnet=10.104.0.0/16

authby=secret
nat-keepalive=yes
auto=start
rekey=yes
ikev2=yes
ike=aes128-sha2;dh5
ikelifetime=3600
dpdtimeout=300
dpddelay=15
phase2=esp
phase2alg=aes_gcm256-null
pfs=no
salifetime=86400

conn MPLS_Group_2
left=10.0.0.6
leftsubnet=10.0.0.0/16

right=10.104.0.101
rightsubnet=10.104.0.0/16

authby=secret
nat-keepalive=yes
auto=start
rekey=yes
ikev2=yes
ike=aes128-sha2;dh5
ikelifetime=3600
dpdtimeout=300
dpddelay=15
phase2=esp
phase2alg=aes_gcm256-null
pfs=no
salifetime=86400


Remote site is 2 VMs, each has StrongSwan running.
Config on VM1:
conn talari
        left=10.104.0.101
        leftid=10.104.0.101
        leftsubnet=10.104.1.0/16
        leftauth=psk

        right=10.0.0.6
        rightid=10.0.0.6
        rightsubnet=10.0.0.0/16
        rightauth=psk
        auto=start
        ike=aes128-sha1-modp1536
        esp=aes256gcm16

Config on VM2:
conn talari
        left=10.104.0.100
        leftid=10.104.0.100
        leftsubnet=10.104.1.0/16
        leftauth=psk

        right=10.0.0.6
        rightid=10.0.0.6
        rightsubnet=10.0.0.0/16
        rightauth=psk
        auto=start
        ike=aes128-sha1-modp1536
        esp=aes256gcm16


Thanks,
Wei
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan<https://urldefense.com/v3/__https://lists.libreswan.org/mailman/listinfo/swan__;!!ACWV5N9M2RV99hQ!YJbxVF89GqwmPg4Cn__zc7csJrDKLGJ5liM_m8-2a4H41mHko97ACNzWH_cgtEQC0w$>

_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan

Reply via email to