[Swan-dev] Not able to have two route-based XFRM tunnels Up at the same time

Fri, 09 May 2025 09:11:31 -0700 

Hello,

I'm trying to configure two route-based IPsec tunnels using XFRMi, where the 
load-balancing will be decided by BGP. The setup is like this:
       | <--- Server1-to-Server2 (IPsec) ---> | Server2
Server1|
       | <--- Server1-to-Server3 (IPsec) ---> | Server3

The problem is: only one tunnel goes Up, while for the second I receive the 
following message:
May  8 13:34:54.350146: "Server1-to-Server3" #61: cannot install kernel policy 
0.0.0.0/0===0.0.0.0/0; in use by established Child SA "Server1-to-Server2" #60 
with routing routed-tunnel

Here is the config:
conn Server1-to-Server2
        auto=start
        ipsec-interface=1
        leftid="192.168.160.242"
        left=%eth0
        leftsourceip=10.20.20.1
        leftsubnet=0.0.0.0/0
        rightid="192.168.160.243"
        right=192.168.160.243
        rightsourceip=10.20.20.2
        rightsubnet=0.0.0.0/0
        authby=secret

conn Server1-to-Server3
        auto=start
        ipsec-interface=2
        leftid="192.168.160.242"
        left=%eth0
        leftsourceip=10.30.30.1
        leftsubnet=0.0.0.0/0
        rightid="192.168.160.244"
        right=192.168.42.244
        rightsourceip=10.30.30.2
        rightsubnet=0.0.0.0/0
        authby=secret

The tunnel what will be chosen to go Up is random. How can I solve this to have 
both established?

Thanks,
Gabriel Dinse

________________________________

Ce message, ainsi que tous les fichiers joints à ce message, peuvent contenir 
des informations sensibles et/ ou confidentielles ne devant pas être 
divulguées. Si vous n'êtes pas le destinataire de ce message (ou que vous 
recevez ce message par erreur), nous vous remercions de le notifier 
immédiatement à son expéditeur, et de détruire ce message. Toute copie, 
divulgation, modification, utilisation ou diffusion, non autorisée, directe ou 
indirecte, de tout ou partie de ce message, est strictement interdite.


This e-mail, and any document attached hereby, may contain confidential and/or 
privileged information. If you are not the intended recipient (or have received 
this e-mail in error) please notify the sender immediately and destroy this 
e-mail. Any unauthorized, direct or indirect, copying, disclosure, distribution 
or other use of the material or parts thereof is strictly forbidden.

_______________________________________________
Swan-dev mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to