Hi would setting this "reqid" option for each of the tunnels (with different left-righ-IDs set) in both initiator and responder peers help?
The below is the setting that is available (in swanctl.conf): ------------------------------------------------------------------------------------------------------------------------------------ connections.<conn>.children.<child>.reqid = <0(default-value)> - Fixed reqid to use for this CHILD_SA. This might be helpful in some scenarios, but works only if each CHILD_SA configuration is instantiated not more than once. - The default of 0 uses dynamic reqids, allocated incrementally. ------------------------------------------------------------------------------------------------------------------------------- regards Rajiv On Tue, Jan 25, 2022 at 1:19 AM Noel Kuntze <noel.kuntze+strongswan-users-ml@thermi.consulting> wrote: > Hello Marcel, > > You already found the only good solution to the problem. > The general problem is that there's no way to identify any specific > CHILD_SA because there are no markers or authentication procedures, or ways > to match them by establishment order. > > Kind regards > Noel > > Am 24.01.22 um 10:48 schrieb Marcel Menzel: > > Hello List, > > > > I am connecting multiple XFRM interfaces, each being in a different VRF, > between two servers running strongSwan 5.9.4. > > > > As I am running dynamic routing protocols over those XFRM interfaces, > all traffic selectors of the CHILD_SAs have been set to 0.0.0.0/0 & ::/0. > > > > Now, the responder is not being able to distinguish between the > CHILD_SAs anymore (due to the same TS) for one IKE_SA and all the CHILD_SAs > of the initiator end up in the same (the first) CHILD_SA in the responder, > meaning the different XFRM interfaces of the initiator are being terminated > all in the same XFRM interface of the responder. > > > > My current workaround is to create one IKE_SA per CHILD_SA as I am able > to set the local and remote ID in the IKE_SA and use these to distinguish > the tunnels as the local and remote addresses are the same aswell. > Unfortunately. the CHILD_SA parameter "reqid" is a local setting only and > looking at the docs I can't see another way to set some "ID" of some sort > to be able to distinguish between overlapping/identical traffic selectors. > Am I missing something here or is this the only possible workaround? > > > > > > Thanks > > > > - Marcel >
