[strongSwan] Question About the Multiple IPsec SA support

David Deng david.live.koo at gmail.com
Wed Jan 12 04:00:27 CET 2011

Hi Martin and Andreas, Hi All,

I have a stupid question but I realy want to know:

If IPinIP tunnel over IPSEC tunnel is possible?

If it is possible, which kernel patch I will applied to Linux V2.6.28.

I remember I have sumbitted the same question about one or two month ago but
getting no answer.

I initiated some test for this case, but no lucky, it is always failed.

It is an urgent question, look forward to your answer, thanks in advance!

Bese wishes,
David Morris
2011/1/6 David Deng <david.live.koo at gmail.com>

> Hi Martin, Hi Andreans,
> Thank you for you swfit response and detail information.
> Best wishes,
> David Morris
> 2011/1/5 Martin Willi <martin at strongswan.org>
> Hi,
>> > 2) one IKE_SA was built  and multiple CHILD_SA is under this IKE_SA.
>> >
>> > so I still want to know if 2) can be supported by StrongSwan. Thanks a
>> > lot!
>> Yes it is, and by default IKE_SAs are re-used to initiate new CHILD_SAs.
>> This behavior can be changed using the charon.reuse_ikesa
>> strongswan.conf option.
>> To define an IKE_SA with multiple CHILD_SAs in ipsec.conf, use
>> connections that differ only in CHILD_SA specific options (ESP
>> algorithms, traffic selectors, etc.). These get automatically merged to
>> a single IKE_SA configuration with multiple CHILD_SAs. You may use a
>> %default connection or the "also" keyword to define them, man ipsec.conf
>> for details.
>> Regards
>> Martin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110112/db2f7e24/attachment.html>

More information about the Users mailing list