Hi Marcel,
I am connecting multiple XFRM interfaces, each being in a different VRF,
between two servers running strongSwan 5.9.4.
As I am running dynamic routing protocols over those XFRM interfaces,
all traffic selectors of the CHILD_SAs have been set to 0.0.0.0/0 & ::/0.
Now, the responder is not being able to distinguish between the
CHILD_SAs anymore (due to the same TS) for one IKE_SA and all the
CHILD_SAs of the initiator end up in the same (the first) CHILD_SA in
the responder, meaning the different XFRM interfaces of the initiator
are being terminated all in the same XFRM interface of the responder.
My current workaround is to create one IKE_SA per CHILD_SA as I am able
to set the local and remote ID in the IKE_SA and use these to
distinguish the tunnels as the local and remote addresses are the same
aswell. Unfortunately. the CHILD_SA parameter "reqid" is a local setting
only and looking at the docs I can't see another way to set some "ID" of
some sort to be able to distinguish between overlapping/identical
traffic selectors. Am I missing something here or is this the only
possible workaround?
The labeled-ipsec branch might be of interest to you (still experimental
and undergoing some major changes in the near future). In a non-SELinux
mode (in the current branch just don't compile with --enable-selinux),
the labels simply act as additional identifier/selector on the IKEv2
layer when negotiating CHILD_SAs and selecting child configs. This
allows using the label like a transmitted mark/if_id.
Regards,
Tobias
