[strongSwan] Libipsec routing overlapping SA

Zhuyj mounter625 at 163.com
Sun Sep 6 03:05:24 CEST 2015


0.0.0.0/0 can not work,it is a limitation.

发自我的 iPhone

> 在 2015年9月6日,1:39,Matthieu <mspeder at users.sourceforge.net> 写道:
> 
> Hi All,
> 
> I'm trying to establish tunnels between a strongswan linux server and cisco routers with VTI interfaces, using IKEv2.
> Strongswan is running in an openvz environnement, so using kernel-libipsec.
> 
> The only way to make it stable using VTI on cisco is apparently to negotiate a 0.0.0.0==0.0.0.0 SA. All my attempts to restrict the subnets in ipsec.conf made the cisco router trying to spawn new SAs every few seconds...
> 
> So I'm stuck with left and right subnets = 0.0.0.0.
> The problem is that I need to connect to multiple routers, leading to overlapping 0.0.0.0==0.0.0.0 SAs.
> 
> How can I install routes on the server so that for a specific destination subnet I can select the correct tunnel ?
> I first thought about some kind of marking and iptables but my feeling reading the code is that libipsec is not using marks to match packets.
> 
> Any idea/advice ?
> 
> Thanks !
> 
> Matthieu
> 
> 
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150906/a886d00d/attachment.html>


More information about the Users mailing list