[Openswan Users] cannot route -- route already in use

Krzysztof Marcinowicz krzysztof.marcinowicz at gmail.com
Mon Apr 27 13:19:10 EDT 2015 

Hi,

I'm trying to inter-connnect two AWS VPCs in different regions.

On one side (let's say in Ireland) I want to have an EC2 instance with
software VPN while on the other side (let's say in Oregon) I want to use
AWS hardware VPN which provides two tunnels for high availability.

I have a problem with setting up two tunnels on software VPN side that run
at the same time. Both tunnels as remote subnet point the same CIDR
(subnet) what seems to be a problem for OpenSwan/IPsec - while the first
tunnel is already running, an attempt of setting up the second tunnel
results in:
ipsec auto --up tunnel-2
117 "tunnel-2" #3: STATE_QUICK_I1: initiate
003 "tunnel-2" #3: cannot route -- route already in use for "tunnel-1"
032 "tunnel-2" #3: STATE_QUICK_I1: internal error


Let me define what IPs and CIDRs I have on both side:

Software VPN side (Ireland):
<I-EIP>      // elastic/public IP address
<I-CIDR>   // subnet CDIR

AWS VPN side (Oregon):
<O-CIDR>   // subnet CDIR

tunnel 1:
<O-outside-VPG-1>    // outside IP of Virtual Private Gateway
<O-inside-VPG-1>      // inside IP of Virtual Private Gateway
<O-inside-CG-1>        // inside IP of Customer Gateway

tunnel 2:
<O-outside-VPG-2>    // outside IP of Virtual Private Gateway
<O-inside-VPG-2>      // inside IP of Virtual Private Gateway
<O-inside-CG-2>        // inside IP of Customer Gateway


And IPsec configuration:

tunnel-1
    type=tunnel
    authby=secret
    pfs=yes
    auto=add
    left=<I-EIP>
    leftid=<I-EIP>
    leftsubnet=<I-CIDR>
    leftnexthop=<O-inside-CG-1>
    right=<O-outside-VPG-1>
    rightnexthop=<O-inside-VPG-1>
    rightsubnet=<O-CIDR>

tunnel-2
    type=tunnel
    authby=secret
    pfs=yes
    auto=add
    left=<I-EIP>
    leftid=<I-EIP>
    leftsubnet=<I-CIDR>
    leftnexthop=<O-inside-CG-2>
    right=<O-outside-VPG-2>
    rightnexthop=<O-inside-VPG-2>
    rightsubnet=<O-CIDR>


Have already someone done something similar?
Any idea how to overcome this issue?

I found nearly no information on that except the following comment:
http://permalink.gmane.org/gmane.network.openswan.user/22638

Both connections are using 192.168.3.0/24 as the remote net
(rightsubnet) which is why OpenSwan complains. Make sure each connection
uses the right remote net for each peer.


I’ll be thankful if you could help me to explain that issue.

regards
Chris Marcinowicz
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20150427/61d556bf/attachment.html>

More information about the Users mailing list