Hi Bart, > I've noticed that the order of the 'conn' statements in ipsec.conf > determines which of the conns will work as expected (the first one) and > which will be aliased to the previous one. > > It should also be noted that the logs show the second conn being added > as a child of an existing configuration.
Yep, with the legacy ipsec.conf configs get merged together. In your case the host-host CHILD_SA config is added to the already loaded net-net IKE_SA config (as you noted, it depends on the order in the file). With `ipsec up` you always initiate a CHILD_SA config (similar to `swanctl -i -c`), so both conn section names are relevant there, but since only one IKE_SA config exists, named net-net, you only see that name for the IKE_SA (even if you have charon.reuse_ikesa disabled and two IKE_SAs are established, they will both be known by that name). > I was unable to reproduce this using swanctl. Possibly because my lack > of experience with swanctl configurations. No, that's because with swanctl.conf you have full control over separate IKE and CHILD_SA configs. Regards, Tobias
