IPSec Same Subnet Problem

O

Onur

Hello,

I am trying to setup redundant site-to-site vpn tunnels. I have problems about adding spd to ipsec.conf on FreeBSD 10.1

I use racoon for ike daemon. I have two PPPoE gateways gw1 ip address is a.a.a.a and gw2 is b.b.b.b

ipsec.conf:
Code: 
flush;
spdflush;
spdadd 192.168.12.0/16 192.168.14.0/24 any -P out ipsec esp/tunnel/a.a.a.a-x.y.z.v/require;
spdadd 192.168.14.0/24 192.168.12.0/16 any -P in ipsec esp/tunnel/x.y.z.v-a.a.a.a/require;

spdadd 192.168.12.0/24 192.168.14.0/24 any -P out ipsec esp/tunnel/b.b.b.b-x.y.z.v/require;
spdadd 192.168.14.0/24 192.168.12.0/24 any -P in ipsec esp/tunnel/x.y.z.v-b.b.b.b/require;

Subnets are same, but peers are different. When i start ipsec service i got these errors,

Code: 
#service ipsec onestart

Clearing ipsec manual keys/policies.
Installing ipsec manual keys/policies.
The result of line 6: File exists.
The result of line 7: File exists.

I understand that ipsec kernel module can't decide to choose which sp must be used. Because subnets are overlapping.

I have made a little(not little spent days :) ) search and found that Linux kernel + strongswan can handle these case with tagging packets on firewall, and adding spds by these tags. So IPSec module does not confused about which to choose; each traffic has different tags.

I am stuck in here. Do I miss something or just hit the limitations of the FreeBSD IPSec implementation? Can somebody lead me the way please ?
 
Thank you for your advice :) I am aware of that. We are using nanobsd on 2000+ devices. It is hard to upgrade all of them. We are planning upgrading our systems to FreeBSD 11.1.

But this problem still exists on FreeBSD 11. I saw FreeBSD 11 release has important improvements about IpSEC and tried this setup also on FreeBSD 11, the result is same.

I am asking help to understand do i think wrong or this is just limitation of freebsd ipsec implementation ?
 
You must log in or register to reply here.
Back
Top