Multiple IPsec tunnels between the same source and destination IP addresses

[nemulos]

Hi all,

I want to ask if it is possible to create two IPsec tunnels between the same source and destination IP addresses with libreswan? The goal is to use ECMP (with FRR) across both IPsec tunnels.

My configurations is below:

Site01:
conn vpn1-to-192.168.50.2
left=192.168.50.1
[email protected]
right=192.168.50.2
[email protected]
authby=secret
leftsubnet=0.0.0.0/0
rightsubnet=0.0.0.0/0
auto=start
mark=5/0xffffffff
vti-interface=vti01
vti-routing=no
leftvti=169.254.0.1/30
ikev2=insist
ike=aes128-sha256;modp3072
phase2alg=aes128-sha256;modp3072
encapsulation=yes
ikelifetime=28800s
salifetime=3600s

conn vpn2-to-192.168.50.2
left=192.168.50.1
[email protected]
right=192.168.50.2
[email protected]
authby=secret
leftsubnet=0.0.0.0/0
rightsubnet=0.0.0.0/0
auto=start
mark=6/0xffffffff
vti-interface=vti02
vti-routing=no
leftvti=169.254.0.5/30
ikev2=insist
ike=aes128-sha256;modp3072
phase2alg=aes128-sha256;modp3072
encapsulation=yes
ikelifetime=28800s
salifetime=3600s

Site02:
conn vpn1-to-192.168.50.1
left=192.168.50.2
[email protected]
right=192.168.50.1
[email protected]
authby=secret
leftsubnet=0.0.0.0/0
rightsubnet=0.0.0.0/0
auto=start
mark=7/0xffffffff
vti-interface=vti01
vti-routing=no
leftvti=169.254.0.2/30
ikev2=insist
ike=aes128-sha256;modp3072
phase2alg=aes128-sha256;modp3072
encapsulation=yes
ikelifetime=28800s
salifetime=3600s

conn vpn2-to-192.168.50.1
left=192.168.50.2
[email protected]
right=192.168.50.1
[email protected]
authby=secret
leftsubnet=0.0.0.0/0
rightsubnet=0.0.0.0/0
auto=start
mark=8/0xffffffff
vti-interface=vti02
vti-routing=no
leftvti=169.254.0.6/30
ikev2=insist
ike=aes128-sha256;modp3072
phase2alg=aes128-sha256;modp3072
encapsulation=yes
ikelifetime=28800s
salifetime=3600s

The IPsec tunnels get established successfully and the VTI interfaces get created. But I cannot ping between the VTI interfaces.

IPsec Status from Site02:

000 #1: "vpn1-to-192.168.50.1":4500 STATE_PARENT_I3 (PARENT SA established); EVENT_SA_REKEY in 25598s; idle;
000 #4: "vpn1-to-192.168.50.1":4500 STATE_V2_IPSEC_I (IPsec SA established); EVENT_SA_REKEY in 375s; isakmp#1; idle;
000 #4: "vpn1-to-192.168.50.1" [email protected] [email protected] [email protected] [email protected] ref=0 refhim=0 Traffic: ESPin=0B ESPout=4KB! ESPmax=0B
000 #6: "vpn1-to-192.168.50.1":4500 STATE_PARENT_R2 (received v2I2, PARENT SA established); EVENT_SA_REKEY in 26352s; newest ISAKMP; idle;
000 #7: "vpn1-to-192.168.50.1":4500 STATE_V2_IPSEC_R (IPsec SA established); EVENT_SA_REKEY in 1152s; newest IPSEC; eroute owner; isakmp#6; idle;
000 #7: "vpn1-to-192.168.50.1" [email protected] [email protected] [email protected] [email protected] ref=0 refhim=0 Traffic: ESPin=150KB ESPout=3KB! ESPmax=0B
000 #2: "vpn2-to-192.168.50.1":4500 STATE_PARENT_I3 (PARENT SA established); EVENT_SA_REKEY in 26004s; idle;
000 #3: "vpn2-to-192.168.50.1":4500 STATE_V2_IPSEC_I (IPsec SA established); EVENT_SA_REKEY in 618s; isakmp#2; idle;
000 #3: "vpn2-to-192.168.50.1" [email protected] [email protected] [email protected] [email protected] ref=0 refhim=0 Traffic: ESPin=0B ESPout=0B! ESPmax=0B
000 #5: "vpn2-to-192.168.50.1":4500 STATE_V2_IPSEC_R (IPsec SA established); EVENT_SA_REKEY in 1077s; isakmp#2; idle;
000 #5: "vpn2-to-192.168.50.1" [email protected] [email protected] [email protected] [email protected] ref=0 refhim=0 Traffic: ESPin=0B ESPout=0B! ESPmax=0B
000 #8: "vpn2-to-192.168.50.1":4500 STATE_PARENT_R2 (received v2I2, PARENT SA established); EVENT_SA_REKEY in 26360s; newest ISAKMP; idle;
000 #9: "vpn2-to-192.168.50.1":4500 STATE_V2_IPSEC_R (IPsec SA established); EVENT_SA_REKEY in 1160s; newest IPSEC; eroute owner; isakmp#8; idle;
000 #9: "vpn2-to-192.168.50.1" [email protected] [email protected] [email protected] [email protected] ref=0 refhim=0 Traffic: ESPin=0B ESPout=0B! ESPmax=0B

IP tunnel ouput:
ip_vti0: ip/ip remote any local any ttl inherit nopmtudisc key 0
vti02: ip/ip remote 192.168.50.2 local 192.168.50.1 ttl inherit key 6
vti01: ip/ip remote 192.168.50.2 local 192.168.50.1 ttl inherit key 5

/ # ip tunnel
ip_vti0: ip/ip remote any local any ttl inherit nopmtudisc key 0
vti02: ip/ip remote 192.168.50.1 local 192.168.50.2 ttl inherit key 8
vti01: ip/ip remote 192.168.50.1 local 192.168.50.2 ttl inherit key 7

[paulwouters]

Do not use VTI for more than one tunnel, use XFRIMi interfaces (eg ipsec-device=1 for one connection and ipsec-interface=2 for the other connection. Then you get an "ipsec1" and "ipsec2" interface.

I'm not sure if it will work with two different 0/0 to 0/0 tunnels. You might need to do some manual routes to make it work. But I guess you will do manual routes anyway to device into which IPsec tunnel / interface to send packets through

[nemulos]

Thanks @paulwouters for the clarification.