[strongSwan] also= not behaving as expected
tobias at strongswan.org
Tue Nov 19 09:50:17 CET 2019
> I've noticed that the order of the 'conn' statements in ipsec.conf
> determines which of the conns will work as expected (the first one) and
> which will be aliased to the previous one.
> It should also be noted that the logs show the second conn being added
> as a child of an existing configuration.
Yep, with the legacy ipsec.conf configs get merged together. In your
case the host-host CHILD_SA config is added to the already loaded
net-net IKE_SA config (as you noted, it depends on the order in the
file). With `ipsec up` you always initiate a CHILD_SA config (similar
to `swanctl -i -c`), so both conn section names are relevant there, but
since only one IKE_SA config exists, named net-net, you only see that
name for the IKE_SA (even if you have charon.reuse_ikesa disabled and
two IKE_SAs are established, they will both be known by that name).
> I was unable to reproduce this using swanctl. Possibly because my lack
> of experience with swanctl configurations.
No, that's because with swanctl.conf you have full control over separate
IKE and CHILD_SA configs.
More information about the Users