HI, <br><br>We have a problem using Strongswan and SCTP for multihoming scenarios. <br><br>We have a client and a server connected using SCTP. The Client has two different network cards with one IP address on each card : IPclt1 and IPclt2. The server has one IP address. Multihoming with SCTP works as follows : the connection is first established with one IP address (IPclt1), and when IPclt1 is not available anymore the traffic switches to IPclt2. <br>
<br>We want to secure the SCTP connection with IPsec. Thus we try the following configuration : <br><br> 1. Using Traffic Selectors so that a CHILD SA can use simultaneously IPclt1 AND IPclt2. When we look at the SAD, only one IP address of the client seems IPsec protected. When we perform the handover, on the other IP address by removing the link, the traffic is not anymore protected.<br>
<br>We are wondering : <br> A) Why can't we see the two traffic selector in the SAD?<br> B) Is the IKE_SA able to consider multiple IP addresses?<br> C) If not, what should we expect from Strongswan when we perform the SCTP handover ? <br>
<br> 2. Using two different IKE_SA for each network card. We configured two distinct connections, and proceed to ipsec start, ipsec up conn1, ipsec up conn2. It seems that ipsec up conn2 overwrite ipsec up conn1, and it looks we can only have one connection configured at a time.<br>
<br>We would like to know :<br> A) How it is possible to configure two separate IKE_SA with their own CHILD_SA.<br><br> <br>Here is the configuration file we used :<br><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta name="ProgId" content="Word.Document"><meta name="Generator" content="Microsoft Word 12"><meta name="Originator" content="Microsoft Word 12"><link rel="File-List" href="file:///C:%5CDOCUME%7E1%5Cfmtw1683%5CLOCALS%7E1%5CTemp%5Cmsohtmlclip1%5C01%5Cclip_filelist.xml"><link rel="themeData" href="file:///C:%5CDOCUME%7E1%5Cfmtw1683%5CLOCALS%7E1%5CTemp%5Cmsohtmlclip1%5C01%5Cclip_themedata.thmx"><link rel="colorSchemeMapping" href="file:///C:%5CDOCUME%7E1%5Cfmtw1683%5CLOCALS%7E1%5CTemp%5Cmsohtmlclip1%5C01%5Cclip_colorschememapping.xml"><style>
<!--
/* Font Definitions */
@font-face
{font-family:SimSun;
panose-1:2 1 6 0 3 1 1 1 1 1;
mso-font-alt:宋体;
mso-font-charset:134;
mso-generic-font-family:auto;
mso-font-pitch:variable;
mso-font-signature:3 135135232 16 0 262145 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;
mso-font-charset:1;
mso-generic-font-family:roman;
mso-font-format:other;
mso-font-pitch:variable;
mso-font-signature:0 0 0 0 0 0;}
@font-face
{font-family:"Helvetica 55 Roman";
panose-1:2 0 5 3 4 0 0 2 0 4;
mso-font-alt:"Bienvenue TT";
mso-font-charset:0;
mso-generic-font-family:auto;
mso-font-pitch:variable;
mso-font-signature:-2147483609 0 0 0 1 0;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;
mso-font-charset:0;
mso-generic-font-family:modern;
mso-font-pitch:fixed;
mso-font-signature:-1610611985 1073750091 0 0 159 0;}
@font-face
{font-family:"\@SimSun";
panose-1:2 1 6 0 3 1 1 1 1 1;
mso-font-charset:134;
mso-generic-font-family:auto;
mso-font-pitch:variable;
mso-font-signature:3 135135232 16 0 262145 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{mso-style-unhide:no;
mso-style-qformat:yes;
mso-style-parent:"";
margin:0cm;
margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
mso-bidi-font-size:12.0pt;
font-family:"Helvetica 55 Roman";
mso-fareast-font-family:SimSun;
mso-fareast-theme-font:minor-fareast;
mso-bidi-font-family:"Times New Roman";}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{mso-style-unhide:no;
mso-style-link:"Texte brut Car";
margin:0cm;
margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.5pt;
font-family:Consolas;
mso-fareast-font-family:SimSun;
mso-fareast-theme-font:minor-fareast;
mso-bidi-font-family:"Times New Roman";}
span.TextebrutCar
{mso-style-name:"Texte brut Car";
mso-style-unhide:no;
mso-style-locked:yes;
mso-style-link:"Texte brut";
mso-ansi-font-size:10.5pt;
mso-bidi-font-size:10.5pt;
font-family:Consolas;
mso-ascii-font-family:Consolas;
mso-hansi-font-family:Consolas;
mso-ansi-language:FR;}
.MsoChpDefault
{mso-style-type:export-only;
mso-default-props:yes;
font-size:10.0pt;
mso-ansi-font-size:10.0pt;
mso-bidi-font-size:10.0pt;
mso-fareast-font-family:SimSun;
mso-fareast-theme-font:minor-fareast;
mso-ansi-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 70.85pt 70.85pt 70.85pt;
mso-header-margin:36.0pt;
mso-footer-margin:36.0pt;
mso-paper-source:0;}
div.WordSection1
{page:WordSection1;}
-->
</style>
<p class="MsoPlainText"><span style="font-family: "Courier New";" lang="EN-US"># ipsec.conf - strongSwan IPsec configuration file<br>
<br>
config setup <br>
<span style=""> </span>crlcheckinterval=180 <br>
<span style=""> </span>strictcrlpolicy=no <br>
<span style=""> </span>plutostart=no <br>
<span style=""> </span>charondebug="dmn 4, mgr 4, ike
4, chd 4, job 4, cfg 4, knl 4, net 4, enc 4, lib 4"<br>
<br>
conn %default <br>
<span style=""> </span>auth=esp<br>
<span style=""> </span>authby=rsasig<br>
<span style=""> </span><span style=""> </span>ike=aes128-aes192-aes256-sha1-modp1536!<br>
<span style=""> </span>ikelifetime=60m <br>
<span style=""> </span>keylife=7d <br>
<span style=""> </span>#keylife=10m<br>
<span style=""> </span>reauth=no<br>
<span style=""> </span>rekeymargin=3m <br>
<span style=""> </span>keyingtries=1<br>
<span style=""> </span>keyexchange=ikev2<br>
<span style=""> </span></span><span style="font-family: "Courier New";">mobike=yes<br>
<span style=""> </span>mobikex=2<br>
</span></p>
<br><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta name="ProgId" content="Word.Document"><meta name="Generator" content="Microsoft Word 12"><meta name="Originator" content="Microsoft Word 12"><link rel="File-List" href="file:///C:%5CDOCUME%7E1%5Cfmtw1683%5CLOCALS%7E1%5CTemp%5Cmsohtmlclip1%5C01%5Cclip_filelist.xml"><link rel="themeData" href="file:///C:%5CDOCUME%7E1%5Cfmtw1683%5CLOCALS%7E1%5CTemp%5Cmsohtmlclip1%5C01%5Cclip_themedata.thmx"><link rel="colorSchemeMapping" href="file:///C:%5CDOCUME%7E1%5Cfmtw1683%5CLOCALS%7E1%5CTemp%5Cmsohtmlclip1%5C01%5Cclip_colorschememapping.xml"><style>
<!--
/* Font Definitions */
@font-face
{font-family:SimSun;
panose-1:2 1 6 0 3 1 1 1 1 1;
mso-font-alt:宋体;
mso-font-charset:134;
mso-generic-font-family:auto;
mso-font-pitch:variable;
mso-font-signature:3 135135232 16 0 262145 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;
mso-font-charset:1;
mso-generic-font-family:roman;
mso-font-format:other;
mso-font-pitch:variable;
mso-font-signature:0 0 0 0 0 0;}
@font-face
{font-family:"Helvetica 55 Roman";
panose-1:2 0 5 3 4 0 0 2 0 4;
mso-font-alt:"Bienvenue TT";
mso-font-charset:0;
mso-generic-font-family:auto;
mso-font-pitch:variable;
mso-font-signature:-2147483609 0 0 0 1 0;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;
mso-font-charset:0;
mso-generic-font-family:modern;
mso-font-pitch:fixed;
mso-font-signature:-1610611985 1073750091 0 0 159 0;}
@font-face
{font-family:"\@SimSun";
panose-1:2 1 6 0 3 1 1 1 1 1;
mso-font-charset:134;
mso-generic-font-family:auto;
mso-font-pitch:variable;
mso-font-signature:3 135135232 16 0 262145 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{mso-style-unhide:no;
mso-style-qformat:yes;
mso-style-parent:"";
margin:0cm;
margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
mso-bidi-font-size:12.0pt;
font-family:"Helvetica 55 Roman";
mso-fareast-font-family:SimSun;
mso-fareast-theme-font:minor-fareast;
mso-bidi-font-family:"Times New Roman";}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{mso-style-unhide:no;
mso-style-link:"Texte brut Car";
margin:0cm;
margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.5pt;
font-family:Consolas;
mso-fareast-font-family:SimSun;
mso-fareast-theme-font:minor-fareast;
mso-bidi-font-family:"Times New Roman";}
span.TextebrutCar
{mso-style-name:"Texte brut Car";
mso-style-unhide:no;
mso-style-locked:yes;
mso-style-link:"Texte brut";
mso-ansi-font-size:10.5pt;
mso-bidi-font-size:10.5pt;
font-family:Consolas;
mso-ascii-font-family:Consolas;
mso-hansi-font-family:Consolas;
mso-ansi-language:FR;}
.MsoChpDefault
{mso-style-type:export-only;
mso-default-props:yes;
font-size:10.0pt;
mso-ansi-font-size:10.0pt;
mso-bidi-font-size:10.0pt;
mso-fareast-font-family:SimSun;
mso-fareast-theme-font:minor-fareast;
mso-ansi-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 70.85pt 70.85pt 70.85pt;
mso-header-margin:36.0pt;
mso-footer-margin:36.0pt;
mso-paper-source:0;}
div.WordSection1
{page:WordSection1;}
-->
</style>
<p class="MsoPlainText"><span style="font-family: "Courier New";" lang="EN-US">conn ESP_tran_ENCRE_AES_CBC<br>
<span style=""> </span>esp=aes128-aes192-aes256-sha1!<br>
<span style=""> </span>leftsubnet=<a href="http://10.0.1.244/32,10.0.2.244/32">10.0.1.244/32,10.0.2.244/32</a><br>
<span style=""> </span>#leftallowany=yes<br>
</span></p>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta name="ProgId" content="Word.Document"><meta name="Generator" content="Microsoft Word 12"><meta name="Originator" content="Microsoft Word 12"><link rel="File-List" href="file:///C:%5CDOCUME%7E1%5Cfmtw1683%5CLOCALS%7E1%5CTemp%5Cmsohtmlclip1%5C01%5Cclip_filelist.xml"><link rel="themeData" href="file:///C:%5CDOCUME%7E1%5Cfmtw1683%5CLOCALS%7E1%5CTemp%5Cmsohtmlclip1%5C01%5Cclip_themedata.thmx"><link rel="colorSchemeMapping" href="file:///C:%5CDOCUME%7E1%5Cfmtw1683%5CLOCALS%7E1%5CTemp%5Cmsohtmlclip1%5C01%5Cclip_colorschememapping.xml"><style>
<!--
/* Font Definitions */
@font-face
{font-family:SimSun;
panose-1:2 1 6 0 3 1 1 1 1 1;
mso-font-alt:宋体;
mso-font-charset:134;
mso-generic-font-family:auto;
mso-font-pitch:variable;
mso-font-signature:3 135135232 16 0 262145 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;
mso-font-charset:1;
mso-generic-font-family:roman;
mso-font-format:other;
mso-font-pitch:variable;
mso-font-signature:0 0 0 0 0 0;}
@font-face
{font-family:"Helvetica 55 Roman";
panose-1:2 0 5 3 4 0 0 2 0 4;
mso-font-alt:"Bienvenue TT";
mso-font-charset:0;
mso-generic-font-family:auto;
mso-font-pitch:variable;
mso-font-signature:-2147483609 0 0 0 1 0;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;
mso-font-charset:0;
mso-generic-font-family:modern;
mso-font-pitch:fixed;
mso-font-signature:-1610611985 1073750091 0 0 159 0;}
@font-face
{font-family:"\@SimSun";
panose-1:2 1 6 0 3 1 1 1 1 1;
mso-font-charset:134;
mso-generic-font-family:auto;
mso-font-pitch:variable;
mso-font-signature:3 135135232 16 0 262145 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{mso-style-unhide:no;
mso-style-qformat:yes;
mso-style-parent:"";
margin:0cm;
margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
mso-bidi-font-size:12.0pt;
font-family:"Helvetica 55 Roman";
mso-fareast-font-family:SimSun;
mso-fareast-theme-font:minor-fareast;
mso-bidi-font-family:"Times New Roman";}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{mso-style-unhide:no;
mso-style-link:"Texte brut Car";
margin:0cm;
margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.5pt;
font-family:Consolas;
mso-fareast-font-family:SimSun;
mso-fareast-theme-font:minor-fareast;
mso-bidi-font-family:"Times New Roman";}
span.TextebrutCar
{mso-style-name:"Texte brut Car";
mso-style-unhide:no;
mso-style-locked:yes;
mso-style-link:"Texte brut";
mso-ansi-font-size:10.5pt;
mso-bidi-font-size:10.5pt;
font-family:Consolas;
mso-ascii-font-family:Consolas;
mso-hansi-font-family:Consolas;
mso-ansi-language:FR;}
.MsoChpDefault
{mso-style-type:export-only;
mso-default-props:yes;
font-size:10.0pt;
mso-ansi-font-size:10.0pt;
mso-bidi-font-size:10.0pt;
mso-fareast-font-family:SimSun;
mso-fareast-theme-font:minor-fareast;
mso-ansi-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 70.85pt 70.85pt 70.85pt;
mso-header-margin:36.0pt;
mso-footer-margin:36.0pt;
mso-paper-source:0;}
div.WordSection1
{page:WordSection1;}
-->
</style>
<p class="MsoPlainText"><span style="font-family: "Courier New";" lang="EN-US"><span style=""> </span>#leftsubnet=<a href="http://10.0.0.0/8">10.0.0.0/8</a><br>
<span style=""> </span>leftid=@moon<br>
<span style=""> </span>leftcert=moonCert.der<br>
<span style=""> </span>right=10.1.2.244<br>
<span style=""> </span>rightid=@sun<br>
<span style=""> </span>rightcert=sunCert.der<br>
<span style=""> </span></span><span style="font-family: "Courier New";">type=transport<br>
<span style=""> </span>auto=route<br>
</span></p>
<br><br>Regards, <br>Daniel<br> <br clear="all"><br>-- <br>Daniel Migault<br>Orange Labs / Security Lab<br>+33 (0) 1 45 29 60 52<br>+33 (0) 6 70 72 69 58<br>