[strongSwan] Question About the Multiple IPsec SA support

David Deng david.live.koo at gmail.com
Thu Jan 6 02:57:16 CET 2011


Hi Martin, Hi Andreans,

Thank you for you swfit response and detail information.

Best wishes,
David Morris

2011/1/5 Martin Willi <martin at strongswan.org>

> Hi,
>
> > 2) one IKE_SA was built  and multiple CHILD_SA is under this IKE_SA.
> >
> > so I still want to know if 2) can be supported by StrongSwan. Thanks a
> > lot!
>
> Yes it is, and by default IKE_SAs are re-used to initiate new CHILD_SAs.
> This behavior can be changed using the charon.reuse_ikesa
> strongswan.conf option.
>
> To define an IKE_SA with multiple CHILD_SAs in ipsec.conf, use
> connections that differ only in CHILD_SA specific options (ESP
> algorithms, traffic selectors, etc.). These get automatically merged to
> a single IKE_SA configuration with multiple CHILD_SAs. You may use a
> %default connection or the "also" keyword to define them, man ipsec.conf
> for details.
>
> Regards
> Martin
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110106/00788fdc/attachment.html>


More information about the Users mailing list