[strongSwan] Libipsec routing overlapping SA

Matthieu mspeder at users.sourceforge.net
Sat Sep 5 19:39:55 CEST 2015

Hi All,

I'm trying to establish tunnels between a strongswan linux server and cisco
routers with VTI interfaces, using IKEv2.
Strongswan is running in an openvz environnement, so using kernel-libipsec.

The only way to make it stable using VTI on cisco is apparently to
negotiate a SA. All my attempts to restrict the subnets in
ipsec.conf made the cisco router trying to spawn new SAs every few

So I'm stuck with left and right subnets =
The problem is that I need to connect to multiple routers, leading to
overlapping SAs.

How can I install routes on the server so that for a specific destination
subnet I can select the correct tunnel ?
I first thought about some kind of marking and iptables but my feeling
reading the code is that libipsec is not using marks to match packets.

Any idea/advice ?

Thanks !

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150905/a43ab624/attachment.html>

More information about the Users mailing list