The source ID does default yes, but I have a tunnel gateway for multiple VPN and I HAD to specify the dstid on the passive side as well or ONLY the last rule was picked up for the 0.0.0.0/0 of some of them as an example for all the traffic flowing via the VPN.
Any overlapping routes where not going as one might think if not dstid specified. example: ikev2 "test1-flow" passive from 0.0.0.0/0 to 1.2.3.4/28 peer any dstid test1.example.com ikev2 "test2-flow" passive from 0.0.0.0/0 to 1.3.3.4/28 peer any dstid test2.example.com ikev2 "test3-flow" passive from 0.0.0.0/0 to 1.4.3.4/28 peer any dstid test3.example.com ..etc If no dstid was specified, then you didn't have all 3 above as an example working. May be it is suppose to, that I can't say for sure as the idea of it, but it sure wasn't and isn't if I remove the dstid with everything else staying the same. So what he suggested to you was valid and true. But it is your setup and you sure can do as you see fit. Hope this help anyway. Daniel On 11/6/18 3:16 PM, 雷致强 wrote: > Thanks for the input, however, I think srcid defaults to the hostname when > it’s omitted. Explicitly setting it didn’t give me any luck. > >> On Nov 7, 2018, at 2:33 AM, J Evans <3...@startmail.com> wrote: >> >> I am by no means an expert, but for my setup, in order to get multiple >> policies working, I had to specify both srcid and dstid for each policy on >> the passive peer. And then I set srcid and dstid for the policies on the >> active peers. >> >
