[strongSwan] ESP transport mode questions

Tobias Brunner tobias at strongswan.org
Mon Nov 9 09:46:46 CET 2020


> 1. Why is the policy_Y set, if after negotiating the ESP parameters and 
> configuring the ESP SA, it remains unassociated with any ESP SA?

Only the outbound policy is explicitly associated with an SA (to switch
SAs in a controlled way during rekeying).  The inbound policy is still
associated with the inbound SA (or SAs during rekeying) of this CHILD_SA
via reqid.  Use `ip -s xfrm policy` to see statistics.

> 2. Is it possible to configure for a TCP connection not two ESP SAs, 
> each acting in its own direction, but one? For example, an exotic case 
> where I only need to apply encryption in one direction?

SAs are always negotiated in pairs (one in each direction, they are
unidirectional).  I guess if you really wanted to, you could manually
delete policies and SAs you don't need afterwards (on both ends).  It's
also possible to selectively protect traffic using marks.


More information about the Users mailing list