[strongSwan] Multiple CHILD_SA in one IKE_SA with same TS

[Marcel Menzel]

Hello List,

I am connecting multiple XFRM interfaces, each being in a different VRF, 
between two servers running strongSwan 5.9.4.

As I am running dynamic routing protocols over those XFRM interfaces, 
all traffic selectors of the CHILD_SAs have been set to 0.0.0.0/0 & ::/0.

Now, the responder is not being able to distinguish between the 
CHILD_SAs anymore (due to the same TS) for one IKE_SA and all the 
CHILD_SAs of the initiator end up in the same (the first) CHILD_SA in 
the responder, meaning the different XFRM interfaces of the initiator 
are being terminated all in the same XFRM interface of the responder.

My current workaround is to create one IKE_SA per CHILD_SA as I am able 
to set the local and remote ID in the IKE_SA and use these to 
distinguish the tunnels as the local and remote addresses are the same 
aswell. Unfortunately. the CHILD_SA parameter "reqid" is a local setting 
only and looking at the docs I can't see another way to set some "ID" of 
some sort to be able to distinguish between overlapping/identical 
traffic selectors. Am I missing something here or is this the only 
possible workaround?


Thanks

  - Marcel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20220124/172d84b8/attachment.html>