[Swan] Version 3.30 XFRM implementation
antony at phenome.org
Thu Feb 20 08:36:49 UTC 2020
On Wed, Feb 19, 2020 at 11:10:49AM +0000, Paul Overton wrote:
> Thanks Paul,
> Some progress, it seems that the iface-ip= directive is causing the failure to start, if I don't include this directive, and only use ipsec-interface=yes
> An interface ipsec1 is created and the tunnels are created, but the interface does not have a local IP address. I can add this after though.
> This is the error I get when including the iface-ip= statement:
> cannot load config '/etc/ipsec.conf': /etc/ipsec.d/connections.conf:26: syntax error, unexpected STRING [iface-ip]
I hope to work on left|rightinterface-ip= soon.
> I have tried adding a number of ipsec interfaces, it would appear the 2 per external interface is the limit.
can you share details of what happens when there more than two tunnels?
configuration or debug logs would help us understand what is going on.
Simple case of multiple tunnel, test case with 4 tunnels, through same
external interface seems to work.
If you have a /32-to-/32 tunnel without NAT, the responder with
ipsec-interface may not work yet. I just noticed an issue yesterday and I am
still investigating it how to make it work. It seems the responder setup the
interface and send the IKE auth response through the tunnel. So the
initiator never establishes tunnel.
More information about the Swan