/32 SA should have higher precedence than /28 SA



  • 2.0-RC3 (i386)
    built on Sun Sep 11 21:36:53 EDT 2011

    I have two subnets towards the same host, using the same phase1:
    10.10.12.32/28 peer xx.xx.xx.xx <–> peer yy.yy.yy.yy 192.168.1.1
    10.10.12.33/32 peer xx.xx.xx.xx <--> peer yy.yy.yy.yy 192.168.1.1

    So we have overlapping subnets, and what I have seen on other equipment, is that the smallest subnet have precedence.

    What I have experienced is that traffic from 10.10.12.33 to 192.168.1.1 goes fine, but when 192.168.1.1 responds, the traffic is encrypted in the other SA that belongs to the /28 subnet.

    Are there any known workaround for this behavior? Are there any way to set a priority for the SAs?

    Thanks,
    //Eskild


Log in to reply