Hi Rajiv,
I already tried this, this would not help. "reqid" is local only and
this information is never being transmitted to the other side as part of
the CHILD_SA establishment, so setting these per hand on both sides will
still end up all tunnels being terminated into the first matching
CHILD_SA on the responder.
Regards
- Marcel
Am 25.01.2022 um 07:42 schrieb Rajiv Kulkarni:
Hi
would setting this "reqid" option for each of the tunnels (with
different left-righ-IDs set) in both initiator and responder peers help?
The below is the setting that is available (in swanctl.conf):
------------------------------------------------------------------------------------------------------------------------------------
connections.<conn>.children.<child>.reqid = <0(default-value)>
- Fixed reqid to use for this CHILD_SA. This might be helpful in some
scenarios, but works only if each CHILD_SA configuration is
instantiated not more than once.
- The default of 0 uses dynamic reqids, allocated incrementally.
-------------------------------------------------------------------------------------------------------------------------------
regards
Rajiv
On Tue, Jan 25, 2022 at 1:19 AM Noel Kuntze
<[email protected]> wrote:
Hello Marcel,
You already found the only good solution to the problem.
The general problem is that there's no way to identify any
specific CHILD_SA because there are no markers or authentication
procedures, or ways to match them by establishment order.
Kind regards
Noel
Am 24.01.22 um 10:48 schrieb Marcel Menzel:
> Hello List,
>
> I am connecting multiple XFRM interfaces, each being in a
different VRF, between two servers running strongSwan 5.9.4.
>
> As I am running dynamic routing protocols over those XFRM
interfaces, all traffic selectors of the CHILD_SAs have been set
to 0.0.0.0/0 <http://0.0.0.0/0> & ::/0.
>
> Now, the responder is not being able to distinguish between the
CHILD_SAs anymore (due to the same TS) for one IKE_SA and all the
CHILD_SAs of the initiator end up in the same (the first) CHILD_SA
in the responder, meaning the different XFRM interfaces of the
initiator are being terminated all in the same XFRM interface of
the responder.
>
> My current workaround is to create one IKE_SA per CHILD_SA as I
am able to set the local and remote ID in the IKE_SA and use these
to distinguish the tunnels as the local and remote addresses are
the same aswell. Unfortunately. the CHILD_SA parameter "reqid" is
a local setting only and looking at the docs I can't see another
way to set some "ID" of some sort to be able to distinguish
between overlapping/identical traffic selectors. Am I missing
something here or is this the only possible workaround?
>
>
> Thanks
>
> - Marcel
