Hi Daniel, The reason why it didn't work before was totally not related to StrongS/WAN, adding the multiple routes works beautifully despite the error.
I love this, thx, Joep Daniel Mentz wrote: > Jessie Liu wrote: > >> But If I add leftsourceip=%config in ipsec.conf, the SCTP packets will not >> go through the tunnel, but ping packets will. ...............If I remove >> leftsrouceip=%config from ipsec.conf, the SCTP packets will flow through the >> tunnel. Could you give me some hints what is happened and what should I >> check? I am using kernel version 2.6.28. >> > > Hi Jessie, > > what about TCP and UDP traffic? Do those packets stick to the tunnel? > Your problem might be related to SCTP's multi-homing feature where each > endpoint announces all of its IP addresses to the other peer. This is > important for fail-over scenarios. > In your case this feature might be counter productive. Both peers try to > use all available paths that can be used to exchange data. But only one > path is protected by IPsec. So I guess you need to setup firewall > policies to block all alternative paths. This way you can force the SCTP > implementation to use only one (secure) path. > > Let's say host A has IP address 1.1.1.10 and 2.2.2.10. Host B has > 1.1.1.20 and 2.2.2.20. If host A initiates a connection to host B it > sooner or later tries all four different combinations of IP addresses in > the hope that the traffic flows on different paths if they switch the IP > addresses. > TCP always sticks to the same pair of IP addresses. > > -Daniel > > _______________________________________________ > Users mailing list > [email protected] > https://lists.strongswan.org/mailman/listinfo/users > _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
