I have been beating my head against this for awhile, and I'm hoping that someone can point me in the right direction.
I have a number of IPSec tunnels established, mostly from libreswan (v3.23) on CentOS to Cisco ASAs. Most are IKE v1, and in that case if I want to reach multiple hosts on the remote side I can have a formulation like this in my .conf file:
conn test1
rightsubnet=192.168.1.111/255.255.255.255
rightsourceip=192.168.1.111
also=test_common
auto=start
conn test2
rightsubnet=192.168.1.112/255.255.255.255
rightsourceip=192.168.1.112
also=test_common
auto=start
However, if I use this syntax with IKEv2 (ikev2=insist), I can start test1 and reach 192.168.1.111, but test2 will then not complete; or I can start test2 and test1 won't work.
My question is, what syntax will allow me to establish an IKEv2 tunnel which lets me reach both 192.168.1.111 & 192.168.1.112?
I have tried using:
conn test
rightsubnet=192.168.1.96/27
leftsubnet=192.168.2.2/32
also=test_common
auto=start
This formulation gets me up to the point where I see "STATE_PARENT_I2: sent v2I2, expected v2R2" but then all I get is "STATE_PARENT_I2: retransmission".
Similarly, I have tried:
conn test
rightsubnets=192.168.1.111/32,192.168.1.112/32
leftsubnet=192.168.2.2/32
also=test_common
auto=start
Using the rightsubnets directive causes the connection to not start, even if a single range is specified.
If anyone can point me in the right direction I'd be grateful.
Edit: I have discovered that I can use the rightsubnets directive; however it will only start the first tunnel. The syntax which works is:
rightsubnets={192.168.1.111/32 192.168.1.112/32}
In this example, 192.168.1.111 is reachable, but the second address gets to "STATE_V2_CREATE_I: sent IPsec Child req wait response" and never completes.
