[Swan] Version 3.30 XFRM implementation

Antony Antony antony at phenome.org
Thu Feb 20 08:36:49 UTC 2020

On Wed, Feb 19, 2020 at 11:10:49AM +0000, Paul Overton wrote:
> Thanks Paul,
> Some progress, it seems that the iface-ip= directive is causing the failure to start, if I don't include this directive, and only use  ipsec-interface=yes 
> An interface ipsec1 is created and the tunnels are created, but the interface does not have a local IP address. I can add this after though. 
> This is the error I get when including the iface-ip= statement:
> cannot load config '/etc/ipsec.conf': /etc/ipsec.d/connections.conf:26: syntax error, unexpected STRING [iface-ip]

I hope to work on  left|rightinterface-ip= soon.

> I have tried adding a number of ipsec interfaces, it would appear the 2 per external interface is the limit. 

can you share details of what happens when there more than two tunnels?
configuration or debug logs would help us understand what is going on.

Simple case of multiple tunnel, test case with 4 tunnels, through same 
external interface seems to work.

If you have a /32-to-/32 tunnel without NAT, the responder with 
ipsec-interface may not work yet. I just noticed an issue yesterday and I am 
still investigating it how to make it work. It seems the responder setup the 
interface and send the IKE auth response through the tunnel. So the 
initiator never establishes tunnel.

More information about the Swan mailing list