Hi, You can't have duplicate/identical policies. At all. There's generally something broken in your setup.
Kind regards Noel Am 28.05.20 um 18:56 schrieb [email protected]: > Hello, > I have 2 endpoints with 2 IP addresses on the each side. I established 2 > connections between them with the same policy to make failover with main and > backup link. > Incoming traffic goes through one link but outgoing through the another one. > This should not be a problem but it is > > It looks like this: > conn1: #197, ESTABLISHED, IKEv2, 482f9b76fa33814b_i 28d890a8f075c0dc_r* > local '1.1.1.1' @ 1.1.1.1[500] > remote '2.2.2.2' @ 2.2.2.2[500] > AES_CBC-256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024 > established 7s ago > to-varus: #19, reqid 2, INSTALLED, TUNNEL, ESP:AES_CBC-256/HMAC_SHA2_256_128 > installed 7s ago > in c4837279, 1068 bytes, 17 packets, 0s ago > out 50b38cfc, 0 bytes, 0 packets, 7s ago <----------- > local 10.8.1.2/32 > remote 172.20.1.233/32 > conn2: #196, ESTABLISHED, IKEv2, cbecb3fd1afb94d8_i* 8148f7fab37e9e6c_r > local '3.3.3.3' @ 3.3.3.3[4500] > remote '4.4.4.4' @ 4.4.4.4[4500] > AES_CBC-256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024 > established 45s ago > to-varus2: #18, reqid 2, INSTALLED, TUNNEL, > ESP:AES_CBC-256/HMAC_SHA2_256_128 > installed 45s ago > in c4afe7b8, 0 bytes, 0 packets <--------- > out 50b38cf6, 1776 bytes, 28 packets, 0s ago > local 10.8.1.2/32 > remote 172.20.1.233/32 > > Is there any way to set up priority for SA or make them work together? > > > ipsec.conf: > > config setup > conn %default > conn conn1 > left=1.1.1.1 > leftsubnet=10.8.1.2/32 > right=2.2.2.2 > rightsubnet=172.20.1.233/32 > conn conn2 > left=3.3.3.3 > leftsubnet=10.8.1.2/32 > right=4.4.4.4 > rightsubnet=172.20.1.233/32
signature.asc
Description: OpenPGP digital signature
