[strongSwan] config 2 hosts, one with "type=transport", another with "type=tunnel", both "tunnel" and "transport" Child SA created, is this per-design?
Martin Willi
martin at strongswan.org
Tue May 25 10:52:03 CEST 2010
Hi,
> It seems the later SA is active one, when I send the packages to
> peer, the packages will be transmitted in second SA.
> Is this per-design, it's confused me, we can set up 2 different type
> SA for the same connection at the same time?
The newest IPsec standards and IKEv2 allow the use of multiple tunnels
with identical traffic selectors, e.g. for QoS purposes. The Linux
kernel currently does not support this, we therefore map identical
tunnels to a single XFRM policy, but only use the latest SA.
Regards
Martin
More information about the Users
mailing list