[strongSwan] Creating Multiple CHILD SAs for same IKE SA

pankaj razdan pankajrazdan at yahoo.com
Tue Apr 14 02:57:51 CEST 2020


Hi, 
SetupI have one IKE Responder and two IKE initiators (with different identities) which are able to establish IKE SA with the responder successfully.VersionstrongSwan 5.7.2dr2 swanctl
IssueI want to establish additional CHILD_SA for each of these IKE-SA initiators from ResponderHowever, both initiators IKE entries are assigned same connection name "net-net". In my ipsec.conf settings, connection name is given "net-net". My problem is that when I initiate CHILD_SA using swanctl --initiate command, then I cannot identify separate IKE-SAs as both are assigned same name by Charon daemon.
Please find output of command and ipsec.conf in the attached file.
Queries1. How to configure Responder to have each entry as separate connection name? I know I can define separate conn name configuration in .conf file but if I have 100K of connections then it will lead to big .conf file, which is difficult to manage.1. Can I dynamically load only child configuration using "load_conn" command  and then initiate CHILD_SA for that particular child with the child name. I also tried to use GoVICI interface to load configurations (with same connection name) using load_conn command but it created new entry rather than updating existing one. 
Warm Regards,Pankaj
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20200414/d4c9fa20/attachment.html>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: strongswan_conn_name_issue.txt
URL: <http://lists.strongswan.org/pipermail/users/attachments/20200414/d4c9fa20/attachment.txt>


More information about the Users mailing list