[strongSwan] Question About the Multiple IPsec SA support
Martin Willi
martin at strongswan.org
Wed Jan 5 10:42:32 CET 2011
Hi,
> 2) one IKE_SA was built and multiple CHILD_SA is under this IKE_SA.
>
> so I still want to know if 2) can be supported by StrongSwan. Thanks a
> lot!
Yes it is, and by default IKE_SAs are re-used to initiate new CHILD_SAs.
This behavior can be changed using the charon.reuse_ikesa
strongswan.conf option.
To define an IKE_SA with multiple CHILD_SAs in ipsec.conf, use
connections that differ only in CHILD_SA specific options (ESP
algorithms, traffic selectors, etc.). These get automatically merged to
a single IKE_SA configuration with multiple CHILD_SAs. You may use a
%default connection or the "also" keyword to define them, man ipsec.conf
for details.
Regards
Martin
More information about the Users
mailing list