[strongSwan] multiple traffic selectors per child_sa
Tobias Brunner
tobias at strongswan.org
Mon May 14 11:52:46 CEST 2018
Hi Marco,
> Kindly I would like to ask, if there is a way to
> know if a remote IKEv2 peer supports multiple
> traffic selectors per CHILD_SA.
This is not a negotiated feature. You might just see a peer narrowing
the traffic selectors to only one the client proposed. But it could
also do that for other reasons (e.g. a mismatching configuration).
Support for multiple traffic selectors is a core feature of IKEv2, but
due to traffic selector narrowing it's easy to avoid having to implement
it I guess.
There is a notify that could be sent, ADDITIONAL_TS_POSSIBLE, which
indicates that some of the not selected TS could be applied in a
separate CHILD_SA (but which ones, or in which combination, is not
communicated). Not sure if anybody implements that (we currently don't
have any support for it). Another notify we don't support is
SINGLE_PAIR_REQUIRED, which indicates that the responder requires
separate CHILD_SAs for each pair of IP addresses that could match the
proposed ranges (but the RFC discourages its use and recommends to just
narrow the TS).
Regards,
Tobias
More information about the Users
mailing list