[Openswan Users] cannot route -- route already in use
Krzysztof Marcinowicz
krzysztof.marcinowicz at gmail.com
Mon Apr 27 13:19:10 EDT 2015
Hi,
I'm trying to inter-connnect two AWS VPCs in different regions.
On one side (let's say in Ireland) I want to have an EC2 instance with
software VPN while on the other side (let's say in Oregon) I want to use
AWS hardware VPN which provides two tunnels for high availability.
I have a problem with setting up two tunnels on software VPN side that run
at the same time. Both tunnels as remote subnet point the same CIDR
(subnet) what seems to be a problem for OpenSwan/IPsec - while the first
tunnel is already running, an attempt of setting up the second tunnel
results in:
ipsec auto --up tunnel-2
117 "tunnel-2" #3: STATE_QUICK_I1: initiate
003 "tunnel-2" #3: cannot route -- route already in use for "tunnel-1"
032 "tunnel-2" #3: STATE_QUICK_I1: internal error
Let me define what IPs and CIDRs I have on both side:
Software VPN side (Ireland):
<I-EIP> // elastic/public IP address
<I-CIDR> // subnet CDIR
AWS VPN side (Oregon):
<O-CIDR> // subnet CDIR
tunnel 1:
<O-outside-VPG-1> // outside IP of Virtual Private Gateway
<O-inside-VPG-1> // inside IP of Virtual Private Gateway
<O-inside-CG-1> // inside IP of Customer Gateway
tunnel 2:
<O-outside-VPG-2> // outside IP of Virtual Private Gateway
<O-inside-VPG-2> // inside IP of Virtual Private Gateway
<O-inside-CG-2> // inside IP of Customer Gateway
And IPsec configuration:
tunnel-1
type=tunnel
authby=secret
pfs=yes
auto=add
left=<I-EIP>
leftid=<I-EIP>
leftsubnet=<I-CIDR>
leftnexthop=<O-inside-CG-1>
right=<O-outside-VPG-1>
rightnexthop=<O-inside-VPG-1>
rightsubnet=<O-CIDR>
tunnel-2
type=tunnel
authby=secret
pfs=yes
auto=add
left=<I-EIP>
leftid=<I-EIP>
leftsubnet=<I-CIDR>
leftnexthop=<O-inside-CG-2>
right=<O-outside-VPG-2>
rightnexthop=<O-inside-VPG-2>
rightsubnet=<O-CIDR>
Have already someone done something similar?
Any idea how to overcome this issue?
I found nearly no information on that except the following comment:
http://permalink.gmane.org/gmane.network.openswan.user/22638
Both connections are using 192.168.3.0/24 as the remote net
(rightsubnet) which is why OpenSwan complains. Make sure each connection
uses the right remote net for each peer.
I’ll be thankful if you could help me to explain that issue.
regards
Chris Marcinowicz
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20150427/61d556bf/attachment.html>
More information about the Users
mailing list