[strongSwan-dev] Strongswan and multihoming

Daniel Migault mglt.biz at gmail.com
Mon Sep 27 16:44:29 CEST 2010 

HI,

We have a problem using Strongswan and SCTP for multihoming scenarios.

We have a client and a server connected using SCTP. The Client has two
different network cards with one IP address on each card : IPclt1 and
IPclt2. The server has one IP address. Multihoming with SCTP works as
follows : the connection is first established with one IP address (IPclt1),
and when IPclt1 is not available anymore the traffic switches to IPclt2.

We want to secure the SCTP connection with IPsec. Thus we try the following
configuration :

   1. Using Traffic Selectors so that a CHILD SA can use simultaneously
IPclt1 AND IPclt2. When we look at the SAD, only one IP address of the
client seems IPsec protected. When we perform the handover, on the other IP
address by removing the link, the traffic is not anymore protected.

We are wondering :
     A) Why can't we see the two traffic selector in the SAD?
     B) Is the IKE_SA able to consider multiple IP addresses?
     C) If not, what should we expect from Strongswan when we perform the
SCTP handover ?

   2. Using two different IKE_SA for each network card. We configured two
distinct connections, and proceed to ipsec start, ipsec up conn1, ipsec up
conn2. It seems that ipsec up conn2 overwrite ipsec up conn1, and it looks
we can only have one connection configured at a time.

We would like to know :
      A) How it is possible to configure two separate IKE_SA with their own
CHILD_SA.


Here is the configuration file we used :

# ipsec.conf - strongSwan IPsec configuration file

config setup
      crlcheckinterval=180
      strictcrlpolicy=no
      plutostart=no
      charondebug="dmn 4, mgr 4, ike 4, chd 4, job 4, cfg 4, knl 4, net 4,
enc 4, lib 4"

conn %default
      auth=esp
      authby=rsasig
        ike=aes128-aes192-aes256-sha1-modp1536!
      ikelifetime=60m
      keylife=7d
      #keylife=10m
      reauth=no
      rekeymargin=3m
      keyingtries=1
      keyexchange=ikev2
      mobike=yes
      mobikex=2

conn ESP_tran_ENCRE_AES_CBC
      esp=aes128-aes192-aes256-sha1!
      leftsubnet=10.0.1.244/32,10.0.2.244/32
      #leftallowany=yes

      #leftsubnet=10.0.0.0/8
      leftid=@moon
      leftcert=moonCert.der
      right=10.1.2.244
      rightid=@sun
      rightcert=sunCert.der
      type=transport
      auto=route


Regards,
Daniel


-- 
Daniel Migault
Orange Labs / Security Lab
+33 (0) 1 45 29 60 52
+33 (0) 6 70 72 69 58
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20100927/d5ba4551/attachment.html>

More information about the Dev mailing list