[strongSwan] Connecting to Amazon VPC with Centos/RHEL 6

Martin Willi martin at strongswan.org
Thu Sep 4 10:59:03 CEST 2014

Hi Andrew,

> adding a second connection with the same rightsubnet causes the
> policies to stomp on each over, resulting in traffic not passing though
> either tunnel.

Identical policies are not supported by the Linux kernel. Newer
strongSwan releases explicitly reject the installation of CHILD_SAs
having conflicting IPsec policies.

> this relies on being able to add a policy in the updown script that
> adds a mark.  Unfortunately, the version of iproute frozen by Centos/RHEL 6
> is 2.6.32, which is *right* before they added the ability to add policies
> with marks.

With the introduction of XFRM marks in 2.6.34, policies can be
differentiated with Netfilter marks to avoid conflicts; Netfilter rules
then can select the appropriate IPsec policy be tagging packets with the
appropriate mark. The "mark" ipsec.conf option can be used to assign
marks to individual IPsec policies.

As you've mentioned, these policy marks are not available in your
kernel. I don't see a way how you can handle these conflicting policies
on your kernel.


More information about the Users mailing list