[strongSwan] Question About the Multiple IPsec SA support
david.live.koo at gmail.com
Wed Jan 5 08:43:49 CET 2011
Thank you for you swift response !
I have reviewed these two scenarios and found that:
in these two scenarios, one CHILD_SA is always under one different IKE_SA.
and I check some standard documents, it provides two application scenarios:
1) multiple IKE_SA was built with identical traffic selectors or different
traffic selectors, and only one IKE_SA is under one IKE_SA;
*2) one IKE_SA was built and multiple CHILD_SA is under this IKE_SA.*
so I still want to know if 2) can be supported by StrongSwan. Thanks a lot!
2011/1/5 Andreas Steffen <andreas.steffen at strongswan.org>
> Hello David,
> by Multiple ESP SAs do you mean multiple instances of a CHILD_SA
> with identical traffic selectors?
> If yes, then this can be done using XFRM marks as in the following
> For this to work you need at least strongswan-4.4.1 and a Linux 2.6.34
> On the other hand i you want to set up multiple CHILD_SAs with different
> traffic selectors then you can have a look at the following scenario:
> This is supported by all strongSwan versions and all Linux kernels.
> On 01/05/2011 03:36 AM, David Deng wrote:
>> Hi Martin, Hi Andreas, Hi All,
>> Happy New Year! I have one question about the Multiple IPsec SA support.
>> Before I send this email, I initiated some testing and found that:
>> StrongSwan can actually support the scenario: "Multiple IKE SA, one ESP
>> SA per IKE SA".
>> But I don't sure that the another scenario: "One IKE SA, Multiple ESP
>> SA per IKE SA" can be supported by the strongswan (version: 4.3.4).
>> If strongswan can support the second scenario, can you give me some
>> configuration sample or some instructures?
>> Thanks in advance!
>> David Morris
> Andreas Steffen andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution! www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Users