Hello,
Hello, I'm not sure if I'm doing something wrong or if is it a common problem. I have iked.conf set up in the following way: ikev2 active from 10.2.15.0/24 to 172.31.0.0/20 from 10.2.15.0/24 to 172.31.16.0/20 from 10.2.15.0/24 to 172.31.32.0/20 from 169.254.74.238 to 169.254.74.237 local X.X.X.X peer 16.170.59.81 ikesa auth hmac-sha2-256 enc aes-256 prf hmac-sha2-256 group modp4096 childsa auth hmac-sha2-256 enc aes-256 group modp4096 srcid X.X.X.X ikelifetime 28800 lifetime 3600 psk '_REMOVED_' ikev2 active from 10.2.15.0/24 to 172.31.0.0/20 from 10.2.15.0/24 to 172.31.16.0/20 from 10.2.15.0/24 to 172.31.32.0/20 from 169.254.21.38 to 169.254.21.37 local X.X.X.X peer 51.21.86.8 ikesa auth hmac-sha2-256 enc aes-256 prf hmac-sha2-256 group modp4096 childsa auth hmac-sha2-256 enc aes-256 group modp4096 srcid X.X.X.X ikelifetime 28800 lifetime 3600 psk '_REMOVED_' Both tunnels are up from AWS perspective. Both tunnels have SAD's: # ipsecctl -ss esp tunnel from 51.21.86.8 to X.X.X.X spi 0x02c0ae3a auth hmac-sha2-256 enc aes-256 esp tunnel from 16.170.59.81 to X.X.X.X spi 0x09ef0398 auth hmac-sha2-256 enc aes-256 esp tunnel from 16.170.59.81 to X.X.X.X spi 0x324ceca5 auth hmac-sha2-256 enc aes-256 esp tunnel from 51.21.86.8 to X.X.X.X spi 0xa9672a52 auth hmac-sha2-256 enc aes-256 esp tunnel from X.X.X.X to 16.170.59.81 spi 0xc08c4de5 auth hmac-sha2-256 enc aes-256 esp tunnel from X.X.X.X to 16.170.59.81 spi 0xc2e0efe9 auth hmac-sha2-256 enc aes-256 esp tunnel from X.X.X.X to 51.21.86.8 spi 0xc3e8a0e0 auth hmac-sha2-256 enc aes-256 esp tunnel from X.X.X.X to 51.21.86.8 spi 0xccb3250e auth hmac-sha2-256 enc aes-256 But flows with overlapped from-to pair are set only for one of the tunnels: # ipsecctl -sf flow esp in from 169.254.21.37 to 169.254.21.38 peer 51.21.86.8 srcid IPV4/X.X.X.X dstid IPV4/51.21.86.8 type require flow esp in from 169.254.74.237 to 169.254.74.238 peer 16.170.59.81 srcid IPV4/X.X.X.X dstid IPV4/16.170.59.81 type require flow esp in from 172.31.0.0/20 to 10.2.15.0/24 peer 51.21.86.8 srcid IPV4/X.X.X.X dstid IPV4/51.21.86.8 type require flow esp in from 172.31.16.0/20 to 10.2.15.0/24 peer 51.21.86.8 srcid IPV4/X.X.X.X dstid IPV4/51.21.86.8 type require flow esp in from 172.31.32.0/20 to 10.2.15.0/24 peer 51.21.86.8 srcid IPV4/X.X.X>X dstid IPV4/51.21.86.8 type require flow esp out from 10.2.15.0/24 to 172.31.0.0/20 peer 51.21.86.8 srcid IPV4/X.X.X.X dstid IPV4/51.21.86.8 type require flow esp out from 10.2.15.0/24 to 172.31.16.0/20 peer 51.21.86.8 srcid IPV4/X.X.X.X dstid IPV4/51.21.86.8 type require flow esp out from 10.2.15.0/24 to 172.31.32.0/20 peer 51.21.86.8 srcid IPV4/X.X.X.X dstid IPV4/51.21.86.8 type require flow esp out from 169.254.21.38 to 169.254.21.37 peer 51.21.86.8 srcid IPV4/X.X.X.X dstid IPV4/51.21.86.8 type require flow esp out from 169.254.74.238 to 169.254.74.237 peer 16.170.59.81 srcid IPV4/X.X.X.X dstid IPV4/16.170.59.81 type require I think IKED may detect that flow is already set for this from-to pair and is not setting up additional one but it should take also remote endpoint into account as those are different. Having no flow set up is resulting in that, when some data are received on that second tunnel that have no flows set, those data are discarded and not forwarded any more propably due to RPF policy. I tried to figure out how those are set up by code analysys but I think it may be beyond my capabilitys as I'm only a sysadmin not a developer. OpenBSD version: 7.3 best regards Rafal Ramocki
