<div dir='auto'><span style="font-family: sans-serif; font-size: 12.8px;">Hi Naveen,</span><div dir="auto" style="font-family: sans-serif; font-size: 12.8px;"><br></div><div dir="auto" style="font-family: sans-serif; font-size: 12.8px;">I believe you need to set uniqueids = no in config setup. </div><div dir="auto" style="font-family: sans-serif; font-size: 12.8px;"><br></div><div dir="auto" style="font-family: sans-serif; font-size: 12.8px;">Cheers,</div><div dir="auto" style="font-family: sans-serif; font-size: 12.8px;"><br></div><div dir="auto" style="font-family: sans-serif; font-size: 12.8px;">Christopher Bachner</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mar 2, 2018 09:33, Naveen Neelakanta <naveen.b.neelakanta@gmail.com> wrote:<br type="attribution"><blockquote class="quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">










<p style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:'menlo'">Hi Noel,<br /></p><p style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:'menlo'"><br /></p><p style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:'menlo'">Need some guidance on the below issues using strongswan .</p><p style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:'menlo'"><br /></p><p style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:'menlo'">1) The second connection with the below configuration fails .</p><p style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:'menlo'">   










</p><p style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:'menlo'">config setup</p>
<p style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:'menlo';min-height:13px"><br /></p>
<p style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:'menlo'">conn %default</p>
<p style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:'menlo'">        ikelifetime=8h</p>
<p style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:'menlo'">        keylife=8h</p>
<p style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:'menlo'">        rekeymargin=3m</p>
<p style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:'menlo'">        keyingtries=2</p>
<p style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:'menlo'">        keyexchange=ikev1</p>
<p style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:'menlo'">        authby=secret</p>
<p style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:'menlo'">        type=tunnel</p>
<p style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:'menlo'">        left=10.24.18.209</p>
<p style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:'menlo'">        leftsubnet=<a href="http://0.0.0.0/0">0.0.0.0/0</a></p>
<p style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:'menlo'">        ike=aes128-sha1-modp1024</p>
<p style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:'menlo'">        esp=null-md5-modp1024</p>
<p style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:'menlo';min-height:13px"><br /></p>
<p style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:'menlo';min-height:13px"><br /></p>
<p style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:'menlo'">conn net-net</p>
<p style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:'menlo'">        right=10.24.18.35</p>
<p style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:'menlo'">        rightsubnet=<a href="http://0.0.0.0/0">0.0.0.0/0</a></p>
<p style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:'menlo'">        mark_out=32</p>
<p style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:'menlo'">        auto=add</p>
<p style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:'menlo'">        installpolicy=yes</p>
<p style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:'menlo';min-height:13px"><br /></p>
<p style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:'menlo'">conn net1-net1</p>
<p style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:'menlo'">        right=10.24.18.36</p>
<p style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:'menlo'">        rightsubnet=<a href="http://0.0.0.0/0">0.0.0.0/0</a></p>
<p style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:'menlo'">        mark_out=33</p>
<p style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:'menlo'">        auto=add</p>
<p style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:'menlo'">        installpolicy=yes</p>


<p></p><p style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:'menlo'"><br /></p><p style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:'menlo'">#ipsec up net1-net1</p><p style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:'menlo'"><br /></p><p style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:'menlo'">unable to install policy <a href="http://0.0.0.0/0">0.0.0.0/0</a> === <a href="http://0.0.0.0/0">0.0.0.0/0</a> in for reqid 2, the same policy for reqid 1 exists</p>
<p style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:'menlo'">unable to install policy <a href="http://0.0.0.0/0">0.0.0.0/0</a> === <a href="http://0.0.0.0/0">0.0.0.0/0</a> fwd for reqid 2, the same policy for reqid 1 exists</p>
<p style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:'menlo'">unable to install IPsec policies (SPD) in kernel</p>
<p style="margin:0px;font-style:normal;font-variant:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:'menlo'"><b>establishing connection 'net1-net1' failed</b></p>


<div><br /></div><div><br /></div><div><br /></div>2)  I intend to use marking as selector using VTI interface , i see that the packet gets encrypted and leave the machine, however my intention is identify return traffic after decryption to be marked with the same marking, so that i can route based on the marked packet to a specific interface, but i see that the inbound SA does not have the mark and the policy drops the return traffic . <div><br /></div><div>










<p style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:'menlo'">src <a href="http://0.0.0.0/0">0.0.0.0/0</a> dst <a href="http://0.0.0.0/0">0.0.0.0/0</a> </p>
<p style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:'menlo'"><span style="white-space:pre"> </span>dir out priority 399999 </p>
<p style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:'menlo'"><span style="white-space:pre"> </span>mark 32/0xffffffff</p>
<p style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:'menlo'"><span style="white-space:pre"> </span>tmpl src 10.24.18.209 dst 10.24.18.35</p>
<p style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:'menlo'"><span style="white-space:pre"> </span><span style="white-space:pre">     </span>proto esp spi 0xce437d69 reqid 1 mode tunnel</p>
<p style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:'menlo'"><br /></p>
<p style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:'menlo'">src <a href="http://0.0.0.0/0">0.0.0.0/0</a> dst <a href="http://0.0.0.0/0">0.0.0.0/0</a> </p>
<p style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:'menlo'"><span style="white-space:pre"> </span>dir in priority 399999 </p><p style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:'menlo'"><span style="color:rgb( 34 , 34 , 34 );font-family:'menlo';font-size:11px;font-style:normal;font-weight:400;letter-spacing:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb( 255 , 255 , 255 );float:none;display:inline">        mark 32/0xffffffff</span><br /></p>
<p style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:'menlo'"><span style="white-space:pre"> </span>tmpl src 10.24.18.35 dst 10.24.18.209</p>
<p style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:'menlo'"><span style="white-space:pre"> </span><span style="white-space:pre">     </span>proto esp reqid 1 mode tunnel</p>


<br /></div><div> SADB:</div><div>










<p style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:'menlo'">src 10.24.18.209 dst 10.24.18.35</p>
<p style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:'menlo'"><span style="white-space:pre"> </span>proto esp spi 0xce437d69 reqid 1 mode tunnel</p>
<p style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:'menlo'"><span style="white-space:pre"> </span>replay-window 0 flag af-unspec</p>
<p style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:'menlo'"><span style="white-space:pre"> </span>mark 32/0xffffffff</p>
<p style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:'menlo'"><span style="white-space:pre"> </span>auth-trunc hmac(md5) 0x73f7dac6b9ef4de0dd6965ce30e2e548 96</p>
<p style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:'menlo'"><span style="white-space:pre"> </span>enc ecb(cipher_null) </p>
<p style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:'menlo'">src 10.24.18.35 dst 10.24.18.209</p>
<p style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:'menlo'"><span style="white-space:pre"> </span>proto esp spi 0xca115267 reqid 1 mode tunnel</p>
<p style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:'menlo'"><span style="white-space:pre"> </span>replay-window 32 flag af-unspec</p>
<p style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:'menlo'"><span style="white-space:pre"> </span>auth-trunc hmac(md5) 0xcc44e5211adb4b23d281e9b94853b31c 96</p>
<p style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:'menlo'"><span style="white-space:pre"> </span>enc ecb(cipher_null) </p>


<div><br /></div><div><br /></div><div><br /></div>How can i get the return traffic to be marked so that there is no policy mismatch. </div><div><br /></div><div>3) When i bring up the tunnel with the leftsubnet any and rightsubnet any , i lose ssh access, i have disabled route install from strongswan configuration file . </div><div><br /></div><div>










<p style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:'menlo'">conn %default</p>
<p style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:'menlo'">        ikelifetime=8h</p>
<p style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:'menlo'">        keylife=8h</p>
<p style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:'menlo'">        rekeymargin=3m</p>
<p style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:'menlo'">        keyingtries=2</p>
<p style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:'menlo'">        keyexchange=ikev1</p>
<p style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:'menlo'">        authby=secret</p>
<p style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:'menlo'">        type=tunnel</p>
<p style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:'menlo'">        left=10.24.18.209</p>
<p style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:'menlo'">        leftsubnet=<a href="http://0.0.0.0/0">0.0.0.0/0</a></p>
<p style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:'menlo'">        ike=aes128-sha1-modp1024</p>
<p style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:'menlo'">        esp=null-md5-modp1024</p>
<p style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:'menlo'">        installpolicy=no</p>
<p style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:'menlo';min-height:13px"><br /></p>
<p style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:'menlo';min-height:13px"><br /></p>
<p style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:'menlo'">conn net-net</p>
<p style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:'menlo'">        right=10.24.18.35</p>
<p style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:'menlo'">        rightsubnet=<a href="http://0.0.0.0/0">0.0.0.0/0</a></p>
<p style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:'menlo'">        mark_out=32</p>
<p style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:'menlo'">        auto=add</p>
<p style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:'menlo'">        installpolicy=yes</p>


<div><br /></div><div>######### strongswan.conf #######</div>










<p style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:'menlo'">        interfaces_use = eth3</p>
<p style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:'menlo'">        install_routes = no</p>


<div><br /></div><div>Please provide some light on the above issues.</div><div><br /></div><div>Thanks,</div><div>Naveen</div><div><br /></div></div></div>
</blockquote></div><br></div>