I have a VPC and network in eu-central-1
and one in eu-west-1
in AWS.
The eu-central-1
fakes my on-prem environment. There I installed and configured OpenSwan on an EC2. In in eu-west-1
I configured a side-to-side VPN (customer gw, virtual gw, ..).
It works and tunnel1 is up. Now I try to get my 2nd tunnel up. I added a second config:
conn Tunnel1
authby=secret
auto=start
left=%defaultroute
leftid=yyy
right=xxx
type=tunnel
ikelifetime=8h
keylife=1h
phase2alg=aes128-sha1;modp1024
ike=aes128-sha1;modp1024
keyingtries=%forever
keyexchange=ike
leftsubnet=192.168.0.0/16
rightsubnet=10.0.0.0/16
dpddelay=10
dpdtimeout=30
dpdaction=restart_by_peer
conn Tunnel2
authby=secret
auto=start
left=%defaultroute
leftid=yyy
right=zzz
type=tunnel
ikelifetime=8h
keylife=1h
phase2alg=aes128-sha1;modp1024
ike=aes128-sha1;modp1024
keyingtries=%forever
keyexchange=ike
leftsubnet=192.168.0.0/16
rightsubnet=10.0.0.0/16
dpddelay=10
dpdtimeout=30
dpdaction=restart_by_peer
Also added the PSK
xxx yyy: PSK "QbkjDdfP4sfma9nFsMwYCg6vr.C1adfds"
xxx zzz: PSK "Kfd_26YNCndfr1g2tkFIzw5dfaTxhXMx"
I restart IPSEC: I see errors:
000 Total IPsec connections: loaded 2, active 1
"Tunnel2" #4: cannot install eroute -- it is in use for "Tunnel1" #3
What am I doing wrong?
journalctl -xe | grep "Tunnel2"
check the logs for more details. Use tools likeip xfrm policy
andip xfrm state
to check the Security Policy Database (SPD) and Security Association Database (SAD) entries. Ensure that they are consistent with your configuration.