On 6/23/07, Phillip Hellewell <sshock@gmail.com> wrote:

So my question is, how can I fix this?  I can't tell my workplace to change what they are doing.  If there was someway to just use a single association for both tunnels, that would do the trick.  Or if there were someway to tell the kernel not to drop my packet because even though the spi isn't the matching one, that would probably do it too.

Hooray!  To have a single tunnel, I just had to use "require" instead of "unique" on my SPD entries!

Since I'm using Debian's racoon-tool to do this for me, it amounted to adding the "level: require" option to my two connections.  (I guess racoon-tool defaults to "unique".)