On 2016-01-21, Sascha Biberhofer <s.biberho...@sphericalelephant.com> wrote: > The thing that I've noticed is that whenever iked initiates the IKE, the > following line is logged: > > ikev2_msg_send: IKE_SA_INIT request from 0.0.0.0:500 to $peerip:500... [..] > Clearly, this can be avoided if one adds the "local $interfaceip" > statement to the entries in iked.conf, but this would require two > configurations, one for each interface and a restart of iked when > failover occurs (at least as far as I can tell).
Even with "local", iked doesn't bind for the IKE_SA_INIT so they're sent from the "default" address 0.0.0.0. This uses the address on the interface holding the route to $peerip (or the interface holding the default route) which puts quite a restriction on the places that iked can be successfully used (it's the wrong address on many non-trivial network configs).
