[strongSwan] Multiple tunnels between two endpoints

Dirk Hartmann dha at heise.de
Mon Jan 7 12:22:07 CET 2013


Hi Ali,

--On Monday, January 07, 2013 02:39:55 PM +0330 Ali Masoudi 
<masoudi1983 at gmail.com> wrote:

> I have a simple question, and I would be grateful if anyone could
> answer it.
>
> If we want to establish multiple tunnels between two endpoints, is it
> recommended to use "reuse_ikesa = no" option in strongswan.conf.
>
> I figured it in my tests that it is better to use the default config.
> Am I right? What is the application of reuse_ikesa option? Thanks a
> lot.

if you set reuse_ikesa = no there will be a new IKE_SA for every 
CHILD_SA.

Normally it is ok to have one IKE_SA with more CHILD_SAs.
Handling is a little bit easier if you want to stop/start single 
CHILD_SAs.

Do the different tunnels run to the same net on one side? Then you 
could enable them in a single tunnel.
Example:
rightsubnet= 192.168.1.0/25
leftsubnet=10.0.0.0/8,172.16.1.0/24,172.16.2.0/24,172.31.0.0/16

Best Regards
Dirk





More information about the Users mailing list