[strongSwan] Question About the Multiple IPsec SA support
Andreas Steffen
andreas.steffen at strongswan.org
Wed Jan 5 04:57:02 CET 2011
Hello David,
by Multiple ESP SAs do you mean multiple instances of a CHILD_SA
with identical traffic selectors?
If yes, then this can be done using XFRM marks as in the following
scenario:
http://www.strongswan.org/uml/testresults/ikev2/net2net-psk-dscp/
For this to work you need at least strongswan-4.4.1 and a Linux 2.6.34
kernel.
On the other hand i you want to set up multiple CHILD_SAs with different
traffic selectors then you can have a look at the following scenario:
http://www.strongswan.org/uml/testresults/ikev2/multi-level-ca-strict/
This is supported by all strongSwan versions and all Linux kernels.
Regards
Andreas
On 01/05/2011 03:36 AM, David Deng wrote:
> Hi Martin, Hi Andreas, Hi All,
> Happy New Year! I have one question about the Multiple IPsec SA support.
> Before I send this email, I initiated some testing and found that:
> StrongSwan can actually support the scenario: "Multiple IKE SA, one ESP
> SA per IKE SA".
> But I don't sure that the another scenario: "One IKE SA, Multiple ESP
> SA per IKE SA" can be supported by the strongswan (version: 4.3.4).
> If strongswan can support the second scenario, can you give me some
> configuration sample or some instructures?
> Thanks in advance!
> David Morris
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
More information about the Users
mailing list