<HTML><BODY style="word-wrap: break-word; -khtml-nbsp-mode: space; -khtml-line-break: after-white-space; ">Hi,<DIV><BR class="khtml-block-placeholder"></DIV><DIV>I need to establish a VPN using this setup :</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>GW1 ---------- GW2--|</DIV><DIV> | | 192.168.1.0/24</DIV><DIV> |---------------GW3--|<BR><DIV> <SPAN class="Apple-style-span" style="border-collapse: separate; border-spacing: 0px 0px; color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-align: auto; -khtml-text-decorations-in-effect: none; text-indent: 0px; -apple-text-size-adjust: auto; text-transform: none; orphans: 2; white-space: normal; widows: 2; word-spacing: 0px; "><SPAN class="Apple-style-span" style="border-collapse: separate; border-spacing: 0px 0px; color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-align: auto; -khtml-text-decorations-in-effect: none; text-indent: 0px; -apple-text-size-adjust: auto; text-transform: none; orphans: 2; white-space: normal; widows: 2; word-spacing: 0px; "><SPAN class="Apple-style-span" style="border-collapse: separate; border-spacing: 0px 0px; color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-align: auto; -khtml-text-decorations-in-effect: none; text-indent: 0px; -apple-text-size-adjust: auto; text-transform: none; orphans: 2; white-space: normal; widows: 2; word-spacing: 0px; "><P style="margin: 0.0px 0.0px 0.0px 0.0px"><BR class="khtml-block-placeholder"></P><P style="margin: 0.0px 0.0px 0.0px 0.0px">GW1, GW2 and GW3 are IPSec gateways. GW2 and GW3 are serving the same intranet network, but are using two different internet lines to do it (for backup and load balancing reasons).</P><P style="margin: 0.0px 0.0px 0.0px 0.0px"><BR class="khtml-block-placeholder"></P><P style="margin: 0.0px 0.0px 0.0px 0.0px">My problem is that if I try to establish the following tunnels :</P><P style="margin: 0.0px 0.0px 0.0px 0.0px"><BR class="khtml-block-placeholder"></P><P style="margin: 0.0px 0.0px 0.0px 0.0px">a) 192.168.50.0/24 - GW1 - GW2 - 192.168.1.0/24</P><P style="margin: 0.0px 0.0px 0.0px 0.0px">b) 192.168.60.0/24 - GW1 - GW3 - 192.168.1.0/24</P><P style="margin: 0.0px 0.0px 0.0px 0.0px"><BR class="khtml-block-placeholder"></P><P style="margin: 0.0px 0.0px 0.0px 0.0px">I get a problem because GW1 refuse to establish tunnel b when tunnel a is already up (and if reverse is true : it refuse to establish the tunnel b when tunnel a is already up).</P><P style="margin: 0.0px 0.0px 0.0px 0.0px"><BR class="khtml-block-placeholder"></P><P style="margin: 0.0px 0.0px 0.0px 0.0px">The problem is in the openswan code that consider that all tunnels destined to tunnel 192.168.1.0/24 must use the same public address. This is shown in programs/pluto/kernel.c function could_route :</P><P style="margin: 0.0px 0.0px 0.0px 0.0px"><BR class="khtml-block-placeholder"></P><DIV>static enum routability</DIV><DIV>could_route(struct connection *c)</DIV><DIV>{ </DIV><P style="margin: 0.0px 0.0px 0.0px 0.0px">...</P><DIV> if (ro != NULL && !routes_agree(ro, c))</DIV><DIV> {</DIV><DIV> loglog(RC_LOG_SERIOUS, "cannot route -- route already in use for \"%s\""</DIV><DIV> , ro->name);</DIV><DIV> return route_impossible; /* another connection already</DIV><DIV> using the eroute */</DIV><DIV> }</DIV><P style="margin: 0.0px 0.0px 0.0px 0.0px">...</P><P style="margin: 0.0px 0.0px 0.0px 0.0px">}</P><P style="margin: 0.0px 0.0px 0.0px 0.0px"><BR class="khtml-block-placeholder"></P><P style="margin: 0.0px 0.0px 0.0px 0.0px">where routes_agree checks that the new session is sharing the same dev and nexthop that the first other tunnel that is sharing the same destination network.</P><P style="margin: 0.0px 0.0px 0.0px 0.0px"><BR class="khtml-block-placeholder"></P><P style="margin: 0.0px 0.0px 0.0px 0.0px">In my case, I am using netkey and not klips. I don't know if this is a limitation of klips, but this is not a limitation of netkey as it is possible to set this up using setkey -P or ip xfrm policy.</P><P style="margin: 0.0px 0.0px 0.0px 0.0px"><BR class="khtml-block-placeholder"></P><P style="margin: 0.0px 0.0px 0.0px 0.0px">So it seams to be big limitation in pluto.</P><P style="margin: 0.0px 0.0px 0.0px 0.0px"><BR class="khtml-block-placeholder"></P><P style="margin: 0.0px 0.0px 0.0px 0.0px">One simple solution I have use is to setup this two tunnels :</P><P style="margin: 0.0px 0.0px 0.0px 0.0px"><BR class="khtml-block-placeholder"></P><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">a) 192.168.50.0/24 - GW1 - GW2 - 192.168.1.0/24</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">b) 192.168.60.0/24 - GW1 - GW3 - 192.168.1.0/25</DIV><P style="margin: 0.0px 0.0px 0.0px 0.0px"><BR class="khtml-block-placeholder"></P><P style="margin: 0.0px 0.0px 0.0px 0.0px">this is not perfect as hosts from 192.168.60.0/24 network sees only host 192.168.1.1 to 192.168.1.126 on the other side, but in my case it was enougth.</P><P style="margin: 0.0px 0.0px 0.0px 0.0px"><BR class="khtml-block-placeholder"></P><P style="margin: 0.0px 0.0px 0.0px 0.0px">I have opened a bug# 800 on <A href="http://bugs.xelerance.com">http://bugs.xelerance.com</A>.</P><P style="margin: 0.0px 0.0px 0.0px 0.0px"><BR class="khtml-block-placeholder"></P><P style="margin: 0.0px 0.0px 0.0px 0.0px">Regards,</P><P style="margin: 0.0px 0.0px 0.0px 0.0px"> </P><P style="margin: 0.0px 0.0px 0.0px 0.0px"><FONT face="Helvetica" size="3" style="font: 12.0px Helvetica">--<SPAN class="Apple-converted-space"> </SPAN></FONT></P><P style="margin: 0.0px 0.0px 0.0px 0.0px"><FONT face="Helvetica" size="3" style="font: 12.0px Helvetica">Alain RICHARD <<A href="mailto:alain.richard@equation.fr">mailto:alain.richard@equation.fr</A>></FONT></P><P style="margin: 0.0px 0.0px 0.0px 0.0px"><FONT face="Helvetica" size="3" style="font: 12.0px Helvetica">EQUATION SA <<A href="http://www.equation.fr/">http://www.equation.fr/</A>></FONT></P><P style="margin: 0.0px 0.0px 0.0px 0.0px"><FONT face="Helvetica" size="3" style="font: 12.0px Helvetica">Tel : +33 477 79 48 00<SPAN class="Apple-converted-space"><SPAN class="Apple-converted-tab"><SPAN class="Apple-converted-space"> </SPAN> </SPAN><SPAN class="Apple-converted-space"> </SPAN></SPAN>Fax : +33 477 79 48 01</FONT></P><P style="margin: 0.0px 0.0px 0.0px 0.0px">E-Liance, Opérateur des entreprises et collectivités,</P><P style="margin: 0.0px 0.0px 0.0px 0.0px">Liaisons Fibre optique, SDSL et ADSL <<A href="http://www.e-liance.fr">http://www.e-liance.fr</A>></P><BR class="Apple-interchange-newline"></SPAN></SPAN></SPAN> </DIV><BR></DIV></BODY></HTML>