[strongSwan] Multiple IKE-SA's between two endpoints

Tarik Demirci tarik at tarikdemirci.com
Wed Jan 7 11:44:30 CET 2015

Hi Everyone,

I have the requirement to establish multiple IKE-SA's between two
endpoints using pre-shared keys. My questions are:

- Is it possible to do this with IKEv1? Wiki says secrets may become a
problem. Would it cause other problems if I use the same secret for
each IKE-SA?
  Wiki says: "When using IKEv1 an additional complexity arises in the
case of authentication by preshared secret: the responder will need to
look up the secret before the Peer's ID payload has been decoded, so
the ID used will be the IP address."[1]

- What is the best practice when using IKEv2? I think using different
left and rightids for each IKE-SA is way to go but I wonder if it's
appropriate to use ids for this purpose (I mean same endpoints).

- Is there any caveat I should be aware of in this type of
configuration (both for IKEv1 and IKEv2)?

Any help in this regard is appreciated.


[1] https://wiki.strongswan.org/projects/strongswan/wiki/IpsecSecrets
Tarık Demirci

More information about the Users mailing list