[strongSwan] Query on Child SA Creation

Martin Willi martin at strongswan.org
Wed Apr 21 08:03:38 CEST 2010


> But I actually wanted this as a separate SA which can be enabled
> disabled separately. 

You can initiate/terminate specific CHILD_SAs using curly brackets, e.g.
ipsec down connxy{}.

> And just wanted to know what is the criteria for deciding that a
> config should be a child of another one ?

Configurations from ipsec.conf get merged if the IKE_SA specific
parameters match (i.e. identities and addresses).

To initiate each CHILD_SA in a seperate IKE_SA, you may specify the
strongswan.conf option charon.reuse_ikesa = no.


More information about the Users mailing list