Jessie Liu wrote: > But If I add leftsourceip=%config in ipsec.conf, the SCTP packets will not go > through the tunnel, but ping packets will. ...............If I remove > leftsrouceip=%config from ipsec.conf, the SCTP packets will flow through the > tunnel. Could you give me some hints what is happened and what should I > check? I am using kernel version 2.6.28.
Hi Jessie, what about TCP and UDP traffic? Do those packets stick to the tunnel? Your problem might be related to SCTP's multi-homing feature where each endpoint announces all of its IP addresses to the other peer. This is important for fail-over scenarios. In your case this feature might be counter productive. Both peers try to use all available paths that can be used to exchange data. But only one path is protected by IPsec. So I guess you need to setup firewall policies to block all alternative paths. This way you can force the SCTP implementation to use only one (secure) path. Let's say host A has IP address 1.1.1.10 and 2.2.2.10. Host B has 1.1.1.20 and 2.2.2.20. If host A initiates a connection to host B it sooner or later tries all four different combinations of IP addresses in the hope that the traffic flows on different paths if they switch the IP addresses. TCP always sticks to the same pair of IP addresses. -Daniel _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
