[strongSwan] Multiple tunnels between two endpoints
Ali Masoudi
masoudi1983 at gmail.com
Tue Jan 8 09:00:00 CET 2013
Thank you Dirk for your answer,
But what about ikev1 connections? I think using multiple subnets in
one connection is acceptable in ikev2. If I'm wrong, correct me
please.
I use "reuse_ikesa = no" for a while and I have no problem, but in the
last week, I started to work with hearbeat service from linux-ha, and
in the failover occasions, after i bring up the virtual ip address
related service (I have written) for ipsec, I had a few problems to
bring up some tunnels. But when I use "reuse_ikesa = yes", the
problems solved.
Best regards
Ali
On Mon, Jan 7, 2013 at 2:52 PM, Dirk Hartmann <dha at heise.de> wrote:
> Hi Ali,
>
> --On Monday, January 07, 2013 02:39:55 PM +0330 Ali Masoudi
> <masoudi1983 at gmail.com> wrote:
>
>> I have a simple question, and I would be grateful if anyone could
>> answer it.
>>
>> If we want to establish multiple tunnels between two endpoints, is it
>> recommended to use "reuse_ikesa = no" option in strongswan.conf.
>>
>> I figured it in my tests that it is better to use the default config.
>> Am I right? What is the application of reuse_ikesa option? Thanks a
>> lot.
>
> if you set reuse_ikesa = no there will be a new IKE_SA for every
> CHILD_SA.
>
> Normally it is ok to have one IKE_SA with more CHILD_SAs.
> Handling is a little bit easier if you want to stop/start single
> CHILD_SAs.
>
> Do the different tunnels run to the same net on one side? Then you
> could enable them in a single tunnel.
> Example:
> rightsubnet= 192.168.1.0/25
> leftsubnet=10.0.0.0/8,172.16.1.0/24,172.16.2.0/24,172.31.0.0/16
>
> Best Regards
> Dirk
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
More information about the Users
mailing list