[strongSwan] Question About the Multiple IPsec SA support

David Deng david.live.koo at gmail.com
Wed Jan 5 08:43:49 CET 2011

Hi Andreas,

Thank you for you swift response !

I have reviewed these two scenarios and found that:

in these two scenarios, one CHILD_SA is always under one different IKE_SA.

and I check some standard documents, it provides two application scenarios:
1) multiple IKE_SA was built with identical traffic selectors or different
traffic selectors, and only one IKE_SA is under one IKE_SA;

*2) one IKE_SA was built  and multiple CHILD_SA is under this IKE_SA.*

so I still want to know if 2) can be supported by StrongSwan. Thanks a lot!

Best wishes,
David Morris

2011/1/5 Andreas Steffen <andreas.steffen at strongswan.org>

> Hello David,
> by Multiple ESP SAs do you mean multiple instances of a CHILD_SA
> with identical traffic selectors?
> If yes, then this can be done using XFRM marks as in the following
> scenario:
> http://www.strongswan.org/uml/testresults/ikev2/net2net-psk-dscp/
> For this to work you need at least strongswan-4.4.1 and a Linux 2.6.34
> kernel.
> On the other hand i you want to set up multiple CHILD_SAs with different
> traffic selectors then you can have a look at the following scenario:
> http://www.strongswan.org/uml/testresults/ikev2/multi-level-ca-strict/
> This is supported by all strongSwan versions and all Linux kernels.
> Regards
> Andreas
> On 01/05/2011 03:36 AM, David Deng wrote:
>> Hi Martin, Hi Andreas, Hi All,
>> Happy New Year! I have one question about the Multiple IPsec SA support.
>> Before I send this email, I initiated some testing and found that:
>> StrongSwan can actually support the scenario: "Multiple IKE SA, one ESP
>> SA per IKE SA".
>> But I don't sure that the another scenario: "One IKE SA, Multiple ESP
>> SA per IKE SA" can be supported by the strongswan (version: 4.3.4).
>> If strongswan can support the second scenario, can you give me some
>> configuration sample or some instructures?
>> Thanks in advance!
>> David Morris
> ======================================================================
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution!                www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110105/f96f3e5e/attachment.html>

More information about the Users mailing list