[strongSwan-dev] Strongswan and multihoming
mglt.biz at gmail.com
Mon Sep 27 16:44:29 CEST 2010
We have a problem using Strongswan and SCTP for multihoming scenarios.
We have a client and a server connected using SCTP. The Client has two
different network cards with one IP address on each card : IPclt1 and
IPclt2. The server has one IP address. Multihoming with SCTP works as
follows : the connection is first established with one IP address (IPclt1),
and when IPclt1 is not available anymore the traffic switches to IPclt2.
We want to secure the SCTP connection with IPsec. Thus we try the following
1. Using Traffic Selectors so that a CHILD SA can use simultaneously
IPclt1 AND IPclt2. When we look at the SAD, only one IP address of the
client seems IPsec protected. When we perform the handover, on the other IP
address by removing the link, the traffic is not anymore protected.
We are wondering :
A) Why can't we see the two traffic selector in the SAD?
B) Is the IKE_SA able to consider multiple IP addresses?
C) If not, what should we expect from Strongswan when we perform the
SCTP handover ?
2. Using two different IKE_SA for each network card. We configured two
distinct connections, and proceed to ipsec start, ipsec up conn1, ipsec up
conn2. It seems that ipsec up conn2 overwrite ipsec up conn1, and it looks
we can only have one connection configured at a time.
We would like to know :
A) How it is possible to configure two separate IKE_SA with their own
Here is the configuration file we used :
# ipsec.conf - strongSwan IPsec configuration file
charondebug="dmn 4, mgr 4, ike 4, chd 4, job 4, cfg 4, knl 4, net 4,
enc 4, lib 4"
Orange Labs / Security Lab
+33 (0) 1 45 29 60 52
+33 (0) 6 70 72 69 58
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Dev