[strongSwan] Multiple IKE-SA's between two endpoints

Noel Kuntze noel at familie-kuntze.de
Wed Jan 7 21:39:51 CET 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Tarik,

No, you can just set one secret for all IKEv1 connections and then use different IDs for your different tunnels.

For IKEv2, you can do it the same way as for IKEv1, but use different secrets.

Why do you want different IKE SAs with IKEv2? You can have a virtually unlimited number of CHILD SAs for each IKE SA
in IKEv2.

Mit freundlichen Grüßen/Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 07.01.2015 um 11:44 schrieb Tarik Demirci:
> Hi Everyone,
>
> I have the requirement to establish multiple IKE-SA's between two
> endpoints using pre-shared keys. My questions are:
>
> - Is it possible to do this with IKEv1? Wiki says secrets may become a
> problem. Would it cause other problems if I use the same secret for
> each IKE-SA?
>   Wiki says: "When using IKEv1 an additional complexity arises in the
> case of authentication by preshared secret: the responder will need to
> look up the secret before the Peer's ID payload has been decoded, so
> the ID used will be the IP address."[1]
>
> - What is the best practice when using IKEv2? I think using different
> left and rightids for each IKE-SA is way to go but I wonder if it's
> appropriate to use ids for this purpose (I mean same endpoints).
>
> - Is there any caveat I should be aware of in this type of
> configuration (both for IKEv1 and IKEv2)?
>
> Any help in this regard is appreciated.
>
>
>
> Regards,
> Tarik.
>
>
> [1] https://wiki.strongswan.org/projects/strongswan/wiki/IpsecSecrets

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJUrZmUAAoJEDg5KY9j7GZYsacP/RZaNwLCtlQvXxECI7cnusXX
i4yBZA5U0Ry6GABsaPB90kTpXC+T4MYk6BzJlCUO4DGWMLHtXEnoNn2/IdB9R+uu
0p13w7vhpjrPw138U/ftzD8gnvmasACdGn618jtgIqcZ1TBi5cGVVJM+F+uq12L9
2KISXnBqPUChQtIFAWzW48Oc+jr8dEWkj6zLctn38r1HTqPp9xaFtsaddp0Xud61
2KBz6czX34Uyq/b5XClQleL5l/TWN8RGeds7pPyEeKpgewFxdMcSZS+P3lksovle
cNJ/i/VJbogsmZURWBavGiaxkWESY5jz21wx+GrplArrFJ6cBytHedtHlXSB0LUq
+KqAVyV8opzskvuoiDMVMx4FUlliZ1Ve+20/403N8HeFhT9yZRGPAJ8Xx3tLODfP
U5POhoY9AkXDf4Q+ZENYRsXRtIy/UpDbPFX8bbVgm9wgyFE3/gfRZbzhdZwWonl5
EmyHD6IqT8oJLx92LmgJDH8iqBQjVf6YPN0L7gm6Vc8STesxmgCn65NzvOU91o+W
/t2XmgwMhaa4rSFx+fXmahjEpLHKoS7ZKbX+ZEh5v6qbMADPG7joUoq7BQUI0fxY
TEGVmg/0LD6tcDuEbJZ0s06LTbVTmSSnRWS4ImgV6NMg4YENnnc+/sll0VaXMUdj
1SRofnSbnnW2gLkZlwPl
=yzxe
-----END PGP SIGNATURE-----



More information about the Users mailing list