/32 SA should have higher precedence than /28 SA
eskild last edited by
built on Sun Sep 11 21:36:53 EDT 2011
I have two subnets towards the same host, using the same phase1:
10.10.12.32/28 peer xx.xx.xx.xx <–> peer yy.yy.yy.yy 192.168.1.1
10.10.12.33/32 peer xx.xx.xx.xx <--> peer yy.yy.yy.yy 192.168.1.1
So we have overlapping subnets, and what I have seen on other equipment, is that the smallest subnet have precedence.
What I have experienced is that traffic from 10.10.12.33 to 192.168.1.1 goes fine, but when 192.168.1.1 responds, the traffic is encrypted in the other SA that belongs to the /28 subnet.
Are there any known workaround for this behavior? Are there any way to set a priority for the SAs?