
You can't have duplicate/identical policies. At all. There's generally 
something broken in your setup.

Kind regards


Am 28.05.20 um 18:56 schrieb korsar...@gmail.com:
> Hello,
> I have 2 endpoints with 2 IP addresses on the each side. I established 2 
> connections between them with the same policy to make failover with main and 
> backup link.
> Incoming traffic goes through one link but outgoing through the another one. 
> This should not be a problem but it is
> It looks like this:
> conn1: #197, ESTABLISHED, IKEv2, 482f9b76fa33814b_i 28d890a8f075c0dc_r*
>   local  '' @[500]
>   remote '' @[500]
>   AES_CBC-256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
>   established 7s ago
>   to-varus: #19, reqid 2, INSTALLED, TUNNEL, ESP:AES_CBC-256/HMAC_SHA2_256_128
>     installed 7s ago
>     in  c4837279,   1068 bytes,    17 packets,     0s ago
>     out 50b38cfc,   0 bytes,       0 packets,     7s ago    <-----------
>     local
>     remote
> conn2: #196, ESTABLISHED, IKEv2, cbecb3fd1afb94d8_i* 8148f7fab37e9e6c_r
>   local  '' @[4500]
>   remote '' @[4500]
>   AES_CBC-256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
>   established 45s ago
>   to-varus2: #18, reqid 2, INSTALLED, TUNNEL, 
> ESP:AES_CBC-256/HMAC_SHA2_256_128
>     installed 45s ago
>     in  c4afe7b8,      0 bytes,     0 packets                <---------
>     out 50b38cf6,   1776 bytes,    28 packets,     0s ago
>     local
>     remote
> Is there any way to set up priority for SA or make them work together?
> ipsec.conf:
> config setup
> conn %default
> conn conn1
>   left=
>   leftsubnet=
>   right=
>   rightsubnet=
> conn conn2
>   left=
>   leftsubnet=
>   right=
>   rightsubnet=

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to