<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div>you will need to use different leftid/rightid for the two connections. since you use certs, you might need to generate two certs for each side.</div><div>the bug is that the uniqueids code does not treat v4 and v6 differently.</div><div><br></div><div>alternatively you can try setting uniqueids=no</div><div><br><br>sent from a tiny device </div><div><br>On 2013-07-12, at 19:53, <a href="mailto:subscription@kkeane.com">subscription@kkeane.com</a> wrote:<br><br></div><blockquote type="cite"><div><meta http-equiv="Content-Type" content="text/html; charset=us-ascii"><meta name="Generator" content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--><div class="WordSection1"><p class="MsoNormal">I had asked this question a few weeks ago but didn’t get an answer, so let me try again.<o:p></o:p></p><p class="MsoNormal"><o:p> </o:p></p><p class="MsoNormal">How do you go about using OpenSwan to secure both the IPv4 and the IPv6 connections between the same two peers, using RSA certificates? I’m trying to use transport mode.<o:p></o:p></p><p class="MsoNormal"><o:p> </o:p></p><p class="MsoNormal">When I tried it, one of the two connections gets set up correctly, but the second fails with an error indicating that the eroute already exists (even though I’m using NetKey on CentOS 6, which isn’t supposed to use eroutes). I’m using the standard CentOS 6 Openswan RPM (version 2.6.30-20)<o:p></o:p></p><p class="MsoNormal"><o:p> </o:p></p><p class="MsoNormal">Here is my ipsec.conf (with redacted names):<o:p></o:p></p><p class="MsoNormal"><o:p> </o:p></p><p class="MsoNormal">version 2.0<o:p></o:p></p><p class="MsoNormal">config setup<o:p></o:p></p><p class="MsoNormal"> protostack=netkey<o:p></o:p></p><p class="MsoNormal"> nat_traversal=yes<o:p></o:p></p><p class="MsoNormal"> oe=off<o:p></o:p></p><p class="MsoNormal"> myid=system1.mydomain.local<o:p></o:p></p><p class="MsoNormal"><o:p> </o:p></p><p class="MsoNormal">conn %default<o:p></o:p></p><p class="MsoNormal"> type=transport<o:p></o:p></p><p class="MsoNormal"> authby=rsasig<o:p></o:p></p><p class="MsoNormal"> rightrsasigkey=%cert<o:p></o:p></p><p class="MsoNormal"> rightid=%fromcert<o:p></o:p></p><p class="MsoNormal"> left=system1.mydomain.local<o:p></o:p></p><p class="MsoNormal"> leftid=%fromcert<o:p></o:p></p><p class="MsoNormal"> pfs=yes<o:p></o:p></p><p class="MsoNormal"> aggrmode=no<o:p></o:p></p><p class="MsoNormal"> ike=3des-sha1-modp1536<o:p></o:p></p><p class="MsoNormal"> phase2=esp<o:p></o:p></p><p class="MsoNormal"> phase2alg=3des-sha1<o:p></o:p></p><p class="MsoNormal"> auto=start<o:p></o:p></p><p class="MsoNormal"><o:p> </o:p></p><p class="MsoNormal"><o:p> </o:p></p><p class="MsoNormal">conn system2.mydomain.local<o:p></o:p></p><p class="MsoNormal"> connaddrfamily=ipv6<o:p></o:p></p><p class="MsoNormal"> right=web.nctc.local<o:p></o:p></p><p class="MsoNormal"> rightcert=system2.mydomain.local<o:p></o:p></p><p class="MsoNormal"><o:p> </o:p></p><p class="MsoNormal">conn system2.mydomain.local<o:p></o:p></p><p class="MsoNormal"> connaddrfamily=ipv4<o:p></o:p></p><p class="MsoNormal"> right=web.nctc.local<o:p></o:p></p><p class="MsoNormal"> rightcert=system2.mydomain.local<o:p></o:p></p><p class="MsoNormal"><o:p> </o:p></p></div></div></blockquote><blockquote type="cite"><div><span>_______________________________________________</span><br><span><a href="mailto:Users@lists.openswan.org">Users@lists.openswan.org</a></span><br><span><a href="https://lists.openswan.org/mailman/listinfo/users">https://lists.openswan.org/mailman/listinfo/users</a></span><br><span>Micropayments: <a href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a></span><br><span>Building and Integrating Virtual Private Networks with Openswan:</span><br><span><a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a></span><br></div></blockquote></body></html>