[strongSwan] Multiple IKE-SA's between two endpoints
noel at familie-kuntze.de
Wed Jan 7 21:39:51 CET 2015
-----BEGIN PGP SIGNED MESSAGE-----
No, you can just set one secret for all IKEv1 connections and then use different IDs for your different tunnels.
For IKEv2, you can do it the same way as for IKEv1, but use different secrets.
Why do you want different IKE SAs with IKEv2? You can have a virtually unlimited number of CHILD SAs for each IKE SA
Mit freundlichen Grüßen/Regards,
GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 07.01.2015 um 11:44 schrieb Tarik Demirci:
> Hi Everyone,
> I have the requirement to establish multiple IKE-SA's between two
> endpoints using pre-shared keys. My questions are:
> - Is it possible to do this with IKEv1? Wiki says secrets may become a
> problem. Would it cause other problems if I use the same secret for
> each IKE-SA?
> Wiki says: "When using IKEv1 an additional complexity arises in the
> case of authentication by preshared secret: the responder will need to
> look up the secret before the Peer's ID payload has been decoded, so
> the ID used will be the IP address."
> - What is the best practice when using IKEv2? I think using different
> left and rightids for each IKE-SA is way to go but I wonder if it's
> appropriate to use ids for this purpose (I mean same endpoints).
> - Is there any caveat I should be aware of in this type of
> configuration (both for IKEv1 and IKEv2)?
> Any help in this regard is appreciated.
>  https://wiki.strongswan.org/projects/strongswan/wiki/IpsecSecrets
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
-----END PGP SIGNATURE-----
More information about the Users