On Tue, 9 Oct 2018, [email protected] wrote:
I have a CentOS 7 box with libreswan. It has libreswan-3.23-5.el7_5 and kernel-3.10.0-514 from CentOS. I have two conns in my ipsec.conf, both go to the same remote vpn gateway. I split the two conns for simplicity, see below:
Why is it "simpler"? If you just add the one rightsubnet of vpn174 into the rightsubnets= of vpn does it work properly then?
The problem is that despite the conns being regularly established, in erouted state, with STATE_QUICK_[IR]2 (IPsec SA established), the packets coming from 172.16.74.0/24 (hence belonging to the second conn) are silently dropped by the kernel. I checked with the remote side admin, and my packets arrive to him, and he replies.
What does /proc/net/xfrm_stats show ? Can you also show us ip xfrm pol and ip xfrm state output ?
Do you have some advice to solve and/or further investigate the problem?
I would use one conn instead of two. But it should also work with two. Perhaps the xfrm output will show us what is going on. Paul _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
