[strongSwan] Multiple connections with the same policy

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Mon Jun 1 19:20:33 CEST 2020 

Hi,

You can't have duplicate/identical policies. At all. There's generally something broken in your setup.

Kind regards

Noel

Am 28.05.20 um 18:56 schrieb korsar182 at gmail.com:
> Hello,
> I have 2 endpoints with 2 IP addresses on the each side. I established 2 connections between them with the same policy to make failover with main and backup link.
> Incoming traffic goes through one link but outgoing through the another one. This should not be a problem but it is
> 
> It looks like this:
> conn1: #197, ESTABLISHED, IKEv2, 482f9b76fa33814b_i 28d890a8f075c0dc_r*
>   local  '1.1.1.1' @ 1.1.1.1[500]
>   remote '2.2.2.2' @ 2.2.2.2[500]
>   AES_CBC-256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
>   established 7s ago
>   to-varus: #19, reqid 2, INSTALLED, TUNNEL, ESP:AES_CBC-256/HMAC_SHA2_256_128
>     installed 7s ago
>     in  c4837279,   1068 bytes,    17 packets,     0s ago
>     out 50b38cfc,   0 bytes,       0 packets,     7s ago    <-----------
>     local  10.8.1.2/32
>     remote 172.20.1.233/32
> conn2: #196, ESTABLISHED, IKEv2, cbecb3fd1afb94d8_i* 8148f7fab37e9e6c_r
>   local  '3.3.3.3' @ 3.3.3.3[4500]
>   remote '4.4.4.4' @ 4.4.4.4[4500]
>   AES_CBC-256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
>   established 45s ago
>   to-varus2: #18, reqid 2, INSTALLED, TUNNEL, ESP:AES_CBC-256/HMAC_SHA2_256_128
>     installed 45s ago
>     in  c4afe7b8,      0 bytes,     0 packets                <---------
>     out 50b38cf6,   1776 bytes,    28 packets,     0s ago
>     local  10.8.1.2/32
>     remote 172.20.1.233/32
> 
> Is there any way to set up priority for SA or make them work together?
> 
> 
> ipsec.conf:
> 
> config setup
> conn %default
> conn conn1
>   left=1.1.1.1
>   leftsubnet=10.8.1.2/32
>   right=2.2.2.2
>   rightsubnet=172.20.1.233/32
> conn conn2
>   left=3.3.3.3
>   leftsubnet=10.8.1.2/32
>   right=4.4.4.4
>   rightsubnet=172.20.1.233/32

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20200601/3faef55b/attachment.sig>

More information about the Users mailing list