There is useful in cases when the same local/remote prefixes are assigned to different peers:
203.0.113.1 / 203.0.113.254 \ 203.0.113.2
For example, we have 2 VPN peers and both peers send the same prefixes with policy-based VPN.
set vpn ipsec site-to-site peer 203.0.113.1 tunnel 0 local prefix '172.16.0.0/24' set vpn ipsec site-to-site peer 203.0.113.1 tunnel 0 remote prefix '10.0.0.0/24' set vpn ipsec site-to-site peer 203.0.113.2 tunnel 0 local prefix '172.16.0.0/24' set vpn ipsec site-to-site peer 203.0.113.2 tunnel 0 remote prefix '10.0.0.0/24'
Strongswan supports connections.<conn>.children.<child>.priority https://wiki.strongswan.org/projects/strongswan/wiki/Swanctlconf
Suggested syntax:
set vpn ipsec site-to-site peer 203.0.113.1 tunnel 0 cost X
or
set vpn ipsec site-to-site peer 203.0.113.1 tunnel 0 priority X
The routes with the lowest value are more preferable.
Optional fixed priority for IPsec policies. This could be useful to install high-priority drop policies. The default of 0 uses dynamically calculated priorities based on the size of the traffic selectors.