[strongSwan] Multiple CHILD_SA in one IKE_SA with same TS

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Mon Jan 24 20:48:58 CET 2022


Hello Marcel,

You already found the only good solution to the problem.
The general problem is that there's no way to identify any specific CHILD_SA because there are no markers or authentication procedures, or ways to match them by establishment order.

Kind regards
Noel

Am 24.01.22 um 10:48 schrieb Marcel Menzel:
> Hello List,
> 
> I am connecting multiple XFRM interfaces, each being in a different VRF, between two servers running strongSwan 5.9.4.
> 
> As I am running dynamic routing protocols over those XFRM interfaces, all traffic selectors of the CHILD_SAs have been set to 0.0.0.0/0 & ::/0.
> 
> Now, the responder is not being able to distinguish between the CHILD_SAs anymore (due to the same TS) for one IKE_SA and all the CHILD_SAs of the initiator end up in the same (the first) CHILD_SA in the responder, meaning the different XFRM interfaces of the initiator are being terminated all in the same XFRM interface of the responder.
> 
> My current workaround is to create one IKE_SA per CHILD_SA as I am able to set the local and remote ID in the IKE_SA and use these to distinguish the tunnels as the local and remote addresses are the same aswell. Unfortunately. the CHILD_SA parameter "reqid" is a local setting only and looking at the docs I can't see another way to set some "ID" of some sort to be able to distinguish between overlapping/identical traffic selectors. Am I missing something here or is this the only possible workaround?
> 
> 
> Thanks
> 
>   - Marcel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20220124/7d71cc55/attachment.sig>


More information about the Users mailing list