[strongSwan] Most specific match with intersecting subnets

Martin Willi martin at strongswan.org
Fri Mar 21 16:45:33 CET 2014


Hi,

> If the wider tunnel (tun1) comes up first then the narrow tunnel (tun2)
> never comes up!  Traffic for the tun2 destination of interest just gets
> routed down tun1.

Policies for an installed SA always have a higher priority compared to
trap policies. The way we currently calculate priorities, this implies
the behavior you have seen. While this seems not to be what you have
intended, there may be other scenarios where using any appropriate SA
might be preferable over establishing that narrower, additional tunnel.

You may try to adopt the get_priority() [1] calculation and give ROUTED
priorities a slightly higher precedence that it currently has.
priority++ might might work, but there might be some side effects to
such a change.

Regards
Martin

[1]http://git.strongswan.org/?p=strongswan.git;a=blob;f=src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c;h=c864a92f;hb=HEAD#l609




More information about the Users mailing list