[strongSwan] Is there a way to specify an IKE_SA config separately?

[Dan Cook]

When StrongSwan establishes a IKE_SA it appears to look in the config file
for the first matching left and right ids.  It then uses that to establish
the IKE SA which subsequent CHILD SAs (IPSEC SA) are connected to after
further "narrowing" when the connection comes up.

These two SAs may be using completely different connection ("conn")
sections to do their job.

This all makes sense, however if the config is changed and the IKE_SA
connection is removed from the configuration file what is the expected
behavior?   If the connection that hosts the IKE_SAs is "downed" it takes
all the CHILD_SAs (other connections) with it.

So it looks like this:

IKE_SA => [ CHILD_SA #1, CHILD SA #2, CHILD SA #3]

It just so happens the connection used to establish the IKE_SA is the same
as CHILD_SA #1, but if the connection for CHILD_SA #1 is "downed" using the
ipsec down command it will take the other children with it.

I know the down command supports only removing the IKE_SA or the CHILD_SA
using square and curly braces, but that implies that one knows the entire
linage of the IKE_SA to CHILD_SA to make the "correct" decision.

I would like to specify a IKE_SA connection configuration that is different
than the standard "conn" section.  How do I do this?  Do I need to write a
plugin with custom configuration?

Regards,
Dan Cook
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130830/896eee5d/attachment.html>