Thanks Tobias, I changed the marking for the connections to be unique and changed also added mark_in. Now i see that ssh issue is also resolved , but need to get the return tarffic routed to vti interface based on the marking.
Regards, Naveen On Fri, Mar 2, 2018 at 12:54 AM, Tobias Brunner <tob...@strongswan.org> wrote: > Hi Naveen, > > > 1) The second connection with the below configuration fails . > > The log message tells you why. The policies of the two connections > conflict. While you don't get that error message with newer strongSwan > releases (>= 5.3.0) it would not work properly as you'd still have two > connections using the same policies. > > > mark_out=32 > > Why did you only set mark_out? As you can see in the log this causes > conflicts for the in/fwd policies: > > > unable to install policy 0.0.0.0/0 === 0.0.0.0/0 in for reqid 2, the > same policy for reqid 1 exists > > unable to install policy 0.0.0.0/0 === 0.0.0.0/0 fwd for reqid 2, the > same policy for reqid 1 exists > > > > 2) I intend to use marking as selector using VTI interface , i see that > > the packet gets encrypted and leave the machine, however my intention is > > identify return traffic after decryption to be marked with the same > > marking, so that i can route based on the marked packet to a specific > > interface, but i see that the inbound SA does not have the mark and the > > policy drops the return traffic . > > There are two aspects to this: 1) if you don't set mark_in (or just > mark) how do you expect marks to be on the inbound policies and SAs? > 2) with recent releases (>= 5.5.2) no mark is actually set on the > inbound SA (unless explicitly requested, which is possible since 5.6.1 > via swanctl.conf), but only on the inbound policies, specifically to > allow marking packets after decryption. > > > How can i get the return traffic to be marked so that there is no policy > > mismatch. > > Mark the traffic via iptables (before or after decryption). > > > 3) When i bring up the tunnel with the leftsubnet any and rightsubnet > > any , i lose ssh access, i have disabled route install from strongswan > > configuration file . > > Configure passthrough/bypass policies to allow SSH traffic, or set marks > on policies/SAs so only marked packets are processed. > > Regards, > Tobias >