Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    /32 SA should have higher precedence than /28 SA

    IPsec
    1
    1
    1.4k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      eskild
      last edited by

      2.0-RC3 (i386)
      built on Sun Sep 11 21:36:53 EDT 2011

      I have two subnets towards the same host, using the same phase1:
      10.10.12.32/28 peer xx.xx.xx.xx <–> peer yy.yy.yy.yy 192.168.1.1
      10.10.12.33/32 peer xx.xx.xx.xx <--> peer yy.yy.yy.yy 192.168.1.1

      So we have overlapping subnets, and what I have seen on other equipment, is that the smallest subnet have precedence.

      What I have experienced is that traffic from 10.10.12.33 to 192.168.1.1 goes fine, but when 192.168.1.1 responds, the traffic is encrypted in the other SA that belongs to the /28 subnet.

      Are there any known workaround for this behavior? Are there any way to set a priority for the SAs?

      Thanks,
      //Eskild

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.