/32 SA should have higher precedence than /28 SA

  • 2.0-RC3 (i386)
    built on Sun Sep 11 21:36:53 EDT 2011

    I have two subnets towards the same host, using the same phase1: peer xx.xx.xx.xx <–> peer yy.yy.yy.yy peer xx.xx.xx.xx <--> peer yy.yy.yy.yy

    So we have overlapping subnets, and what I have seen on other equipment, is that the smallest subnet have precedence.

    What I have experienced is that traffic from to goes fine, but when responds, the traffic is encrypted in the other SA that belongs to the /28 subnet.

    Are there any known workaround for this behavior? Are there any way to set a priority for the SAs?


Log in to reply