[strongSwan] What to do once the CHILD_SA is established?

Meera Sudhakar mira.sudhakar at gmail.com
Tue Mar 29 14:02:03 CEST 2011


Hi Andreas,

I was able to setup an IKE_SA and its CHILD_SA between my initiator and
responder. Just pasting the result of 'ipsec statusall' here:

*root at cip-Latitude-D520* <root at cip-Latitude-D520>*:~# ipsec statusall
*Status of IKEv2 charon daemon (strongSwan 4.4.0):
  uptime: 3 minutes, since Mar 28 18:54:41 2011
  worker threads: 7 idle of 16, job queue load: 0, scheduled events: 5
  loaded plugins: curl ldap aes des sha1 sha2 md5 random x509 pubkey pkcs1
pgp dnskey pem openssl fips-prf xcbc hmac agent gmp attr kernel-netlink
socket-default farp stroke updown eap-identity eap-aka eap-md5 eap-gtc
eap-mschapv2 dhcp resolve
Listening IP addresses:
  10.58.114.215
Connections:
sample-with-ca-cert:  10.58.114.215...10.58.112.139
sample-with-ca-cert:   local:  [C=CH, O=strongSwan, CN=10.58.114.215] uses
public key authentication
sample-with-ca-cert:    cert:  "C=CH, O=strongSwan, CN=10.58.114.215"
sample-with-ca-cert:   remote: [C=CH, O=strongSwan, CN=10.58.112.139] uses
any authentication
sample-with-ca-cert:   child:  10.58.114.0/24 === 10.58.112.0/24
Security Associations:
sample-with-ca-cert[1]: ESTABLISHED 2 minutes ago, 10.58.114.215[C=CH,
O=strongSwan, CN=10.58.114.215]...10.58.112.139[C=CH, O=strongSwan,
CN=10.58.112.139]
sample-with-ca-cert[1]: IKE SPIs: fdcf7ac0cdf2c04f_i* 983a0c5155be9623_r,
public key reauthentication in 2 hours
sample-with-ca-cert[1]: IKE proposal:
AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
sample-with-ca-cert{2}:  INSTALLED, TUNNEL, ESP SPIs: cbf77aa0_i cf97ba8b_o
sample-with-ca-cert{2}:  AES_CBC_128/HMAC_SHA1_96, 4916 bytes_i (147s ago),
2892 bytes_o (161s ago), rekeying in 40 minutes
sample-with-ca-cert{2}:   10.58.114.0/24 === 10.58.112.0/24
sample-with-ca-cert[2]: ESTABLISHED 3 minutes ago, 10.58.114.215[C=CH,
O=strongSwan, CN=10.58.114.215]...10.58.112.139[C=CH, O=strongSwan,
CN=10.58.112.139]
sample-with-ca-cert[2]: IKE SPIs: 396e462689843cdf_i 5dbd4f8988e5cd1f_r*,
public key reauthentication in 2 hours
sample-with-ca-cert[2]: IKE proposal:
AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
sample-with-ca-cert{1}:  INSTALLED, TUNNEL, ESP SPIs: cdbdb1cc_i c33cd52e_o
sample-with-ca-cert{1}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o,
rekeying in 42 minutes
sample-with-ca-cert{1}:   10.58.114.0/24 === 10.58.112.0/24


I am using strongswan for the first time, and I am not sure where the use of
strongswan ends. Could you please help me understand this? My queries are:

1. Stongswan created the IKE_SA and CHILD_SA, and then nothing more happens.
Is this correct?
2. I believe that IPsec traffic will flow through the CHILD_SA. How will
this happen? Can strongswan handle it, or should I use some other tool?

I know these questions might be kind of silly, but please help me get a
better idea of what I'm doing.

Thanks and regards,
Meera
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110329/4d3311ac/attachment.html>


More information about the Users mailing list