[Openswan Users] redundant ipsec connections: route to peer's client conflicts with ... relesing old connection to free the route

Paul Wouters paul at xelerance.com
Thu Jun 4 14:40:49 EDT 2009


> I think openswan try to check if there is another route for the
> destination to 172.19.0.0/24 (peer internal subnet). And find the
> route previously established by first ipsec connection which is also
> going to 172.19.0.0/24, however dst ip is other dsl connection of the
> peer. So it says "route to peer's client conflicts with ... relesing
> old connection to free the route"...


Ohhhhhhh

>>>       left=CENTRALIPADDR
>>>       leftsubnet=172.17.0.0/24
>>>       right=PEERIPADDR2
>>>       rightsubnet=172.19.0.0/24
>>
>>>       left=CENTRALIPADDR
>>>       leftsubnet=10.0.0.0/8
>>>       right=PEERIPADDR1
>>>       rightsubnet=172.19.0.0/24
>>
>>>       left=CENTRALIPADDR
>>>       leftsubnet=172.16.0.0/24
>>>       right=PEERIPADDR1
>>>       rightsubnet=172.19.0.0/24

I did not spot that you have the same subnet for both PEERIPADDR1 and
PEERIPADDR2. You cannot do that. How should openswan decide on where to
send a packet for rightsubnet to? Peer1 or Peer2? A subnet can only live
at one place at once. If you are trying to do some kind of failover,
then you'll have to look at running ospf or bgp inside ipsec tunnels.

Paul


More information about the Users mailing list