[strongSwan] IKE_SA/CHILD_SA instance
yordanos beyene
yordanosb at gmail.com
Thu Nov 8 11:19:16 CET 2012
Thank you very much Martin for clarifying.
Jordan.
On Thu, Nov 8, 2012 at 2:16 AM, Martin Willi <martin at strongswan.org> wrote:
>
> > Is it possible to have multiple CHILD_SA under the same IKE_SA ?
>
> Yes.
>
> > Is it possible to have multiple CHILD_SA with different connection
> > <NAME> under the same IKE_SA.
>
> Yes, ipsec.conf connections get merged if the IKE_SA-relevant parts are
> equal. This results in a single IKE_SA specific configuration with
> multiple CHILD_SA specific configurations attached to it.
>
> > That is if a CHILD_SA identifier is "n", can I use "ipsec down [n]" to
> > delete the associated IKE_SA?
>
> No, that won't work. CHILD_SA and IKE_SA identifiers are not related at
> all. They are often the same because they all start at one, but this is
> not true anymore if you have multiple CHILD_SAs per IKE_SA.
>
> Regards
> Martin
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20121108/a56441b0/attachment.html>
More information about the Users
mailing list