[strongSwan] Query regardig multiple SA for the same "traffic selectors"

Martin Willi martin at strongswan.org
Fri Mar 22 10:23:39 CET 2013


> Following is the excerpt from the RFC-4301 (section 4.1) which suggests
> to support multiple SA between a given sender & receiver with same
> "traffic selectors". How to configure such connections(policies) in the
> ipsec.conf file ?

The Linux Netkey IPsec stack does not allow to install identical IPsec
policies. You can, however, associate unique XFRM marks to each
connection, making policies non-identical.

An example how this is used with iptables to assign per-connection DSCP
rules can be found at [1].



More information about the Users mailing list