On Tue, Nov 06, 2018 at 05:42:08PM -0500, Daniel Ouellet wrote: > The source ID does default yes, but I have a tunnel gateway for multiple > VPN and I HAD to specify the dstid on the passive side as well or ONLY > the last rule was picked up for the 0.0.0.0/0 of some of them as an > example for all the traffic flowing via the VPN. > > Any overlapping routes where not going as one might think if not dstid > specified. > > example: > > ikev2 "test1-flow" passive from 0.0.0.0/0 to 1.2.3.4/28 peer any dstid > test1.example.com > > ikev2 "test2-flow" passive from 0.0.0.0/0 to 1.3.3.4/28 peer any dstid > test2.example.com > > ikev2 "test3-flow" passive from 0.0.0.0/0 to 1.4.3.4/28 peer any dstid > test3.example.com > > ..etc > > If no dstid was specified, then you didn't have all 3 above as an > example working. > > May be it is suppose to, that I can't say for sure as the idea of it, > but it sure wasn't and isn't if I remove the dstid with everything else > staying the same. > > So what he suggested to you was valid and true. > > But it is your setup and you sure can do as you see fit.
This only works if the rules are the same. The problem is that part of the lookups during the handshake are done without dstid and so at start the last rule will match and is used but later on the real rule (with correct dstid) matches. In general you can not mix different auth types because the missmatch happens during auth exchange. Fixing this is not trivial and maybe not even possible. > On 11/6/18 3:16 PM, 雷致强 wrote: > > Thanks for the input, however, I think srcid defaults to the hostname when > > it’s omitted. Explicitly setting it didn’t give me any luck. > > > >> On Nov 7, 2018, at 2:33 AM, J Evans <3...@startmail.com> wrote: > >> > >> I am by no means an expert, but for my setup, in order to get multiple > >> policies working, I had to specify both srcid and dstid for each policy on > >> the passive peer. And then I set srcid and dstid for the policies on the > >> active peers. > >> > > -- :wq Claudio