[strongSwan] What to do once the CHILD_SA is established?

Martin Willi martin at strongswan.org
Tue Mar 29 14:16:01 CEST 2011


> sample-with-ca-cert{2}:  INSTALLED, TUNNEL, ESP SPIs: cbf77aa0_i
> sample-with-ca-cert{2}: ===
> sample-with-ca-cert{1}:  INSTALLED, TUNNEL, ESP SPIs: cdbdb1cc_i
> sample-with-ca-cert{1}: ===

You have established two identical tunnels, probably because both ends
use auto=start. I'd recommend to use auto=add on one side to initiate
from the other only.

> 1. Stongswan created the IKE_SA and CHILD_SA, and then nothing more
> happens. Is this correct?
> 2. I believe that IPsec traffic will flow through the CHILD_SA. How
> will this happen? Can strongswan handle it, or should I use some other
> tool?

After the CHILD_SA has been negotiated, the associated SAs and Policies
are installed in the kernel. The networking stack will
encapsulate/decapsulate the packets according to these rules. The
strongSwan userland daemon itself does not process the actual IP
traffic, it just negotiates and installs the tunnels.


More information about the Users mailing list