On Tue, Jul 27, 2021 at 09:55:34AM +0200, Claudio Jeker wrote: > On Tue, Jul 27, 2021 at 07:32:09AM -0000, Stuart Henderson wrote: > > On 2021-07-27, Vladimir Nikishkin <[email protected]> wrote: > > > Hello, everyone. > > > > > > This is my iked.conf: > > > > > > ``` > > > ikev2 "for-phone" passive esp \ > > > from any to 10.0.3.2/32 \ > > > local egress peer any \ > > ... > > > dstid phone.mine \ > > > > > ikev2 "for-laptop" passive esp \ > > > from any to 10.0.3.3/32 \ > > > local egress peer any \ > > ... > > > dstid laptop.mine \ > > > > Two policies with "peer any" doesn't work. > > > > > How to correct the setup? > > > > Maybe it's possible by modifying the code, I'm not sure if the > > id is sent early enough though so it might not be possible. > > This is one of the biggest annoyances of iked. It does not even help to > use different IPs and 'local' to split up the rules. Would love if someone > would fix this.
Using differnt IPs for local should work. The trouble is not in iked, but in the IKEv2 protocol. The IDs are only shared in the second part of the handshake. So until then, there's no way for the daemon to find the correct policy, apart from looking at local or peer address. That's why the settings for the IKE-SA should be similar across all policies thate could be valid, and the Child-SA can then (afaik) have different settings. But still, using different IPs for local should work in -current.
