On Sun, 2016-07-03 at 16:15 +1000, Mike Everest wrote:
Not sure I would agree with characterisation of this as a 'bug' - I'd call it more of a 'limitation'
Oh, alright :-)
However, I think I found a work-around. When I made the policies slightly different, they appeared to both come up OK. I did it by making two minor changes to the 'duplicate' policy:
Thanks heaps for taking such an active interest! I'll try it out myself on my test AWS VPN, but did you have to make both changes, or would either do? And did you have to alter the IPsec protocol on the other end as well? If the second answer is "yes" then it won;t work, as there is no way to alter the AWS end. It is what it is. Changing the network size UP is possibly better than my choice of DOWN because it doesn't exclude two addresses from the middle. I'm not sure of the implications around broadcast addresses or the effects on BGP (which is the alternative to static routing) but I will give it a go.
Have you raised this question with MT direct yet? If not, I'm going to ask them about it myself as I'm interested to know whether they consider it expected behaviour! ;)
From my reading of numerous articles on the subject, it has definitely been raised with them. Can't hurt to raise it again.
The obvious alternative would be for them to add route-based IPsec; currently they support only policy-based IPsec (as far as I can tell - do enlighten me if they already support it!). That alternative would likely be a much bigger job though. I've blogged my efforts so far; any corrections or suggestions welcome: http://biplane.com.au/blog/?p=406 Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160 GPG fingerprint: 6D59 8AE6 810D 44E3 7626 7040 4DD6 F89F 3053 4774 Old fingerprint: 9DCA 0903 BCBD 0647 BCCC 2FA7 A35C 57A1 ACF9 00BB