On Tue, 7 Feb 2017, Craig Marker wrote:
I’m still having trouble making this configuration work...
Here are my .conf files… Of note: ‘client’ and ‘server’ are names of the
certificates. They are unique on each host, despite
having the same name. Let me know if any logs would be useful.
mark=0x5/0xff
That's not a full mask, can you instead use:
mark=5/0xffffffff
Similarly for the other marks.
I believe the problem lies within the ip tunnel creation. On the AWS instance,
my tunnels look like this:
tunisp1: ip/ip remote any local 172.31.51.10 ttl inherit key 1
tunisp2: ip/ip remote any local 172.31.51.10 ttl inherit key 2
If I change the remote to be their public IP address, it’s still identical.
It’s unclear how the decision is made for which one
can pass traffic and which one cannot, but when I delete the tunnel that is
passing traffic, the other one becomes able to
pass traffic.
I think the wrong mask caused traffic to end up on the wrong IPsec SA.
Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
