[strongSwan] Handling of overlapping tunnel establishment

Tobias Brunner tobias at strongswan.org
Thu Jul 30 18:01:15 CEST 2015


Hi Joern,

> Let me attach a charon.log we took as we replicated the issue. I see
> several messages like these:
> 
> ...
> Jul 30 17:35:59 03[CFG] <srxgw|1> unable to install policy 0.0.0.0/0 === 0.0.0.0/0 fwd (mark 0/0x00000000) for reqid 2, the same policy for reqid 1 exists
> Jul 30 17:35:59 03[IKE] <srxgw|1> unable to install IPsec policies (SPD) in kernel
> 
> Are these the messages you were referring to?

Exactly.  Starting with strongSwan 5.3.0 the same reqid will be used
when the policies are installed with the second SA.  So you'll end up
with redundant SAs but that shouldn't be a problem.

Regards,
Tobias



More information about the Users mailing list