[strongSwan] Shared VTI device configuration
Tobias Brunner
tobias at strongswan.org
Tue Jun 18 11:01:22 CEST 2019
Hi Aleksey,
You can't share a VTI device between multiple SAs that are associated
with the same IPsec policies (0.0.0.0/0 on both ends in your case). As
the policies are assigned the same mark (to associate them with the
VTI), the kernel couldn't decide into which SA traffic routed to the VTI
should be tunneled (it doesn't allow duplicate policies anyway, which is
why you only see one policy even when both peers are connected).
So you have to either negotiate distinct policies or use multiple
devices (i.e. use a unique mark for each CHILD_SA).
Regards,
Tobias
More information about the Users
mailing list