[strongSwan] second connection from the same machine fails

Tobias Brunner tobias at strongswan.org
Fri Mar 2 09:54:28 CET 2018

Hi Naveen,

> 1) The second connection with the below configuration fails .

The log message tells you why.  The policies of the two connections
conflict.  While you don't get that error message with newer strongSwan
releases (>= 5.3.0) it would not work properly as you'd still have two
connections using the same policies.

>         mark_out=32

Why did you only set mark_out?  As you can see in the log this causes
conflicts for the in/fwd policies:

> unable to install policy === in for reqid 2, the same policy for reqid 1 exists
> unable to install policy === fwd for reqid 2, the same policy for reqid 1 exists

> 2)  I intend to use marking as selector using VTI interface , i see that
> the packet gets encrypted and leave the machine, however my intention is
> identify return traffic after decryption to be marked with the same
> marking, so that i can route based on the marked packet to a specific
> interface, but i see that the inbound SA does not have the mark and the
> policy drops the return traffic . 

There are two aspects to this: 1) if you don't set mark_in (or just
mark) how do you expect marks to be on the inbound policies and SAs?
2) with recent releases (>= 5.5.2) no mark is actually set on the
inbound SA (unless explicitly requested, which is possible since 5.6.1
via swanctl.conf), but only on the inbound policies, specifically to
allow marking packets after decryption.

> How can i get the return traffic to be marked so that there is no policy
> mismatch. 

Mark the traffic via iptables (before or after decryption).

> 3) When i bring up the tunnel with the leftsubnet any and rightsubnet
> any , i lose ssh access, i have disabled route install from strongswan
> configuration file . 

Configure passthrough/bypass policies to allow SSH traffic, or set marks
on policies/SAs so only marked packets are processed.


More information about the Users mailing list