[strongSwan] Redundant network connections - messed up SAs

Steffen Heise foolix81-nerd at yahoo.de
Thu Nov 28 21:14:47 CET 2013


I agree. It seems that strongswan somehow mixes the policies if you use
%any for left or right and have additional connections configured which
use them too.

The main question for me is how to make it work. I just want two hosts
to offer one service each and have that ipsec protected.
I have not seen a working example so far and I hope that the people on
this list can give further hints.

Regarding your suggestion I must say that I don't know exactly what you
mean. Adding a second IP address to the lo interface does make the %any
parameter obsolete. Or maybe I'm wrong ... dunno :-)

Regards,
Steffen

On 28.11.2013 09:31, Dahlberg, David wrote:
> Am Donnerstag, den 28.11.2013, 00:03 +0100 schrieb Steffen Heise:
> 
>> As I do not know, which network the partner choses to use, I have to
>> use %any for the left= parameter. (There are more than two networks in
>> reality so I try to avoid configuring every interface separately).
>> As I do not know which partner tries to connect, I have to use %any
>> for the right= parameter too. (same thing, more hosts in reality)
> 
> I suppose your problem has to do with multiple matching IPsec policies,
> their orders and priorities, but the other people here are problably
> more experienced in debugging this scenario, than me.
> 
> What I wanted to remark is that in such a scenario, it might be a good
> idea to configure /32 (for IPv4) address to the loopback interface of
> the service providers, which is being routed from both sides.
> That way you'll have redundancy without having to try to connect to two
> distinct IP addresses and additionally you may be able to better
> distinguish incoming connections (being addressed to the loopback IP)
> from outgoing connections (being sent from the interface IPs).
> 
> Regards
> 	David
> 




More information about the Users mailing list