[strongSwan] Question About the Multiple IPsec SA support

Andreas Steffen andreas.steffen at strongswan.org
Wed Jan 5 04:57:02 CET 2011


Hello David,

by Multiple ESP SAs do you mean multiple instances of a CHILD_SA
with identical traffic selectors?

If yes, then this can be done using XFRM marks as in the following
scenario:

http://www.strongswan.org/uml/testresults/ikev2/net2net-psk-dscp/

For this to work you need at least strongswan-4.4.1 and a Linux 2.6.34
kernel.

On the other hand i you want to set up multiple CHILD_SAs with different
traffic selectors then you can have a look at the following scenario:

http://www.strongswan.org/uml/testresults/ikev2/multi-level-ca-strict/

This is supported by all strongSwan versions and all Linux kernels.

Regards

Andreas


On 01/05/2011 03:36 AM, David Deng wrote:
> Hi Martin, Hi Andreas, Hi All,
> Happy New Year! I have one question about the Multiple IPsec SA support.
> Before I send this email, I initiated some testing and found that:
> StrongSwan can actually support the scenario: "Multiple IKE SA, one ESP
> SA per IKE SA".
> But I don't sure that the another scenario: "One IKE SA, Multiple ESP
> SA per IKE SA" can be supported by the strongswan (version: 4.3.4).
> If strongswan can support the second scenario, can you give me some
> configuration sample or some instructures?
> Thanks in advance!
> David Morris

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==




More information about the Users mailing list