# IPSec Same Subnet Problem



## Onur (Dec 26, 2017)

Hello,

I am trying to setup redundant site-to-site vpn tunnels. I have problems about adding spd to ipsec.conf on FreeBSD 10.1

I use racoon for ike daemon. I have two PPPoE gateways gw1 ip address is a.a.a.a and gw2 is b.b.b.b

ipsec.conf:

```
flush;
spdflush;
spdadd 192.168.12.0/16 192.168.14.0/24 any -P out ipsec esp/tunnel/a.a.a.a-x.y.z.v/require;
spdadd 192.168.14.0/24 192.168.12.0/16 any -P in ipsec esp/tunnel/x.y.z.v-a.a.a.a/require;

spdadd 192.168.12.0/24 192.168.14.0/24 any -P out ipsec esp/tunnel/b.b.b.b-x.y.z.v/require;
spdadd 192.168.14.0/24 192.168.12.0/24 any -P in ipsec esp/tunnel/x.y.z.v-b.b.b.b/require;
```

*Subnets* are *same*, but *peers* are *different*. When i start ipsec service i got these errors,


```
#service ipsec onestart

Clearing ipsec manual keys/policies.
Installing ipsec manual keys/policies.
The result of line 6: File exists.
The result of line 7: File exists.
```

I understand that ipsec kernel module can't decide to choose which sp must be used. Because subnets are overlapping.

I have made a little(not little spent days  ) search and found that Linux kernel + strongswan can handle these case with tagging packets on firewall, and adding spds by these tags. So IPSec module does not confused about which to choose; each traffic has different tags.

I am stuck in here. Do I miss something or just hit the limitations of the FreeBSD IPSec implementation? Can somebody lead me the way please ?


----------



## SirDice (Dec 27, 2017)

Onur said:


> I have problems about adding spd to ipsec.conf on FreeBSD 10.1


Note that FreeBSD 10.1 is End-of-Life since December 2016 and is not supported any more. Please update to a supported version as soon as possible.

https://www.freebsd.org/security/unsupported.html
Topics about unsupported FreeBSD versions


----------



## Onur (Dec 27, 2017)

Thank you for your advice  I am aware of that. We are using nanobsd on 2000+ devices. It is hard to upgrade all of them. We are planning upgrading our systems to FreeBSD 11.1.

But this problem still exists on FreeBSD 11. I saw FreeBSD 11 release has important improvements about IpSEC and tried this setup also on FreeBSD 11, the result is same. 

I am asking help to understand do i think wrong or this is just limitation of freebsd ipsec implementation ?


----------

