Hi All, I'm trying to establish tunnels between a strongswan linux server and cisco routers with VTI interfaces, using IKEv2. Strongswan is running in an openvz environnement, so using kernel-libipsec.
The only way to make it stable using VTI on cisco is apparently to negotiate a 0.0.0.0==0.0.0.0 SA. All my attempts to restrict the subnets in ipsec.conf made the cisco router trying to spawn new SAs every few seconds... So I'm stuck with left and right subnets = 0.0.0.0. The problem is that I need to connect to multiple routers, leading to overlapping 0.0.0.0==0.0.0.0 SAs. How can I install routes on the server so that for a specific destination subnet I can select the correct tunnel ? I first thought about some kind of marking and iptables but my feeling reading the code is that libipsec is not using marks to match packets. Any idea/advice ? Thanks ! Matthieu
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
