[strongSwan] Shared VTI device configuration

Tobias Brunner tobias at strongswan.org
Tue Jun 18 11:01:22 CEST 2019

Hi Aleksey,

You can't share a VTI device between multiple SAs that are associated
with the same IPsec policies ( on both ends in your case).  As
the policies are assigned the same mark (to associate them with the
VTI), the kernel couldn't decide into which SA traffic routed to the VTI
should be tunneled (it doesn't allow duplicate policies anyway, which is
why you only see one policy even when both peers are connected).

So you have to either negotiate distinct policies or use multiple
devices (i.e. use a unique mark for each CHILD_SA).


More information about the Users mailing list