[strongSwan] Multiple connections with the same policy

Thu May 28 18:56:25 CEST 2020

Hello,
I have 2 endpoints with 2 IP addresses on the each side. I established 2  
connections between them with the same policy to make failover with main  
and backup link.
Incoming traffic goes through one link but outgoing through the another  
one. This should not be a problem but it is

It looks like this:
conn1: #197, ESTABLISHED, IKEv2, 482f9b76fa33814b_i 28d890a8f075c0dc_r*
   local  '1.1.1.1' @ 1.1.1.1[500]
   remote '2.2.2.2' @ 2.2.2.2[500]
   AES_CBC-256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
   established 7s ago
   to-varus: #19, reqid 2, INSTALLED, TUNNEL,  
ESP:AES_CBC-256/HMAC_SHA2_256_128
     installed 7s ago
     in  c4837279,   1068 bytes,    17 packets,     0s ago
     out 50b38cfc,   0 bytes,       0 packets,     7s ago    <-----------
     local  10.8.1.2/32
     remote 172.20.1.233/32
conn2: #196, ESTABLISHED, IKEv2, cbecb3fd1afb94d8_i* 8148f7fab37e9e6c_r
   local  '3.3.3.3' @ 3.3.3.3[4500]
   remote '4.4.4.4' @ 4.4.4.4[4500]
   AES_CBC-256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
   established 45s ago
   to-varus2: #18, reqid 2, INSTALLED, TUNNEL,  
ESP:AES_CBC-256/HMAC_SHA2_256_128
     installed 45s ago
     in  c4afe7b8,      0 bytes,     0 packets				<---------
     out 50b38cf6,   1776 bytes,    28 packets,     0s ago
     local  10.8.1.2/32
     remote 172.20.1.233/32

Is there any way to set up priority for SA or make them work together?

ipsec.conf:

config setup
conn %default
conn conn1
   left=1.1.1.1
   leftsubnet=10.8.1.2/32
   right=2.2.2.2
   rightsubnet=172.20.1.233/32
conn conn2
   left=3.3.3.3
   leftsubnet=10.8.1.2/32
   right=4.4.4.4
   rightsubnet=172.20.1.233/32