[strongSwan] Question About the Multiple IPsec SA support

David Deng david.live.koo at gmail.com
Wed Jan 12 04:00:27 CET 2011


Hi Martin and Andreas, Hi All,

I have a stupid question but I realy want to know:

If IPinIP tunnel over IPSEC tunnel is possible?

If it is possible, which kernel patch I will applied to Linux V2.6.28.
Thanks!

I remember I have sumbitted the same question about one or two month ago but
getting no answer.

I initiated some test for this case, but no lucky, it is always failed.

It is an urgent question, look forward to your answer, thanks in advance!


Bese wishes,
David Morris
-------------------------------------------------------------------------------------------------------------------------
2011/1/6 David Deng <david.live.koo at gmail.com>

> Hi Martin, Hi Andreans,
>
> Thank you for you swfit response and detail information.
>
> Best wishes,
> David Morris
>
> 2011/1/5 Martin Willi <martin at strongswan.org>
>
> Hi,
>>
>> > 2) one IKE_SA was built  and multiple CHILD_SA is under this IKE_SA.
>> >
>> > so I still want to know if 2) can be supported by StrongSwan. Thanks a
>> > lot!
>>
>> Yes it is, and by default IKE_SAs are re-used to initiate new CHILD_SAs.
>> This behavior can be changed using the charon.reuse_ikesa
>> strongswan.conf option.
>>
>> To define an IKE_SA with multiple CHILD_SAs in ipsec.conf, use
>> connections that differ only in CHILD_SA specific options (ESP
>> algorithms, traffic selectors, etc.). These get automatically merged to
>> a single IKE_SA configuration with multiple CHILD_SAs. You may use a
>> %default connection or the "also" keyword to define them, man ipsec.conf
>> for details.
>>
>> Regards
>> Martin
>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110112/db2f7e24/attachment.html>


More information about the Users mailing list