<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div>0.0.0.0/0 can not work,it is a limitation.<br><br>发自我的 iPhone</div><div><br>在 2015年9月6日,1:39,Matthieu <<a href="mailto:mspeder@users.sourceforge.net">mspeder@users.sourceforge.net</a>> 写道:<br><br></div><blockquote type="cite"><div><div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">Hi All,<br><br>I'm trying to establish tunnels between a strongswan linux server and cisco routers with VTI interfaces, using IKEv2.<br>Strongswan is running in an openvz environnement, so using kernel-libipsec.<br><br>The only way to make it stable using VTI on cisco is apparently to negotiate a 0.0.0.0==0.0.0.0 SA. All my attempts to restrict the subnets in ipsec.conf made the cisco router trying to spawn new SAs every few seconds...<br><br>So I'm stuck with left and right subnets = 0.0.0.0.<br>The problem is that I need to connect to multiple routers, leading to overlapping 0.0.0.0==0.0.0.0 SAs.<br><br>How can I install routes on the server so that for a specific destination subnet I can select the correct tunnel ?<br>I first thought about some kind of marking and iptables but my feeling reading the code is that libipsec is not using marks to match packets.<br><br>Any idea/advice ?<br><br>Thanks !</div><div class="gmail_quote"><br></div><div class="gmail_quote">Matthieu<br><div><span class="HOEnZb"><font color="#888888"><div><br></div></font></span></div>
</div><br></div></div>
</div></blockquote><blockquote type="cite"><div><span>_______________________________________________</span><br><span>Users mailing list</span><br><span><a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a></span><br><span><a href="https://lists.strongswan.org/mailman/listinfo/users">https://lists.strongswan.org/mailman/listinfo/users</a></span></div></blockquote></body></html>