[strongSwan] IKE_SA/CHILD_SA instance
Martin Willi
martin at strongswan.org
Thu Nov 8 11:16:02 CET 2012
> Is it possible to have multiple CHILD_SA under the same IKE_SA ?
Yes.
> Is it possible to have multiple CHILD_SA with different connection
> <NAME> under the same IKE_SA.
Yes, ipsec.conf connections get merged if the IKE_SA-relevant parts are
equal. This results in a single IKE_SA specific configuration with
multiple CHILD_SA specific configurations attached to it.
> That is if a CHILD_SA identifier is "n", can I use "ipsec down [n]" to
> delete the associated IKE_SA?
No, that won't work. CHILD_SA and IKE_SA identifiers are not related at
all. They are often the same because they all start at one, but this is
not true anymore if you have multiple CHILD_SAs per IKE_SA.
Regards
Martin
More information about the Users
mailing list