[strongSwan] Multiple CHILD_SA in one IKE_SA with same TS

[Tobias Brunner]

Hi Marcel,

> I am connecting multiple XFRM interfaces, each being in a different VRF, 
> between two servers running strongSwan 5.9.4.
> 
> As I am running dynamic routing protocols over those XFRM interfaces, 
> all traffic selectors of the CHILD_SAs have been set to 0.0.0.0/0 & ::/0.
> 
> Now, the responder is not being able to distinguish between the 
> CHILD_SAs anymore (due to the same TS) for one IKE_SA and all the 
> CHILD_SAs of the initiator end up in the same (the first) CHILD_SA in 
> the responder, meaning the different XFRM interfaces of the initiator 
> are being terminated all in the same XFRM interface of the responder.
> 
> My current workaround is to create one IKE_SA per CHILD_SA as I am able 
> to set the local and remote ID in the IKE_SA and use these to 
> distinguish the tunnels as the local and remote addresses are the same 
> aswell. Unfortunately. the CHILD_SA parameter "reqid" is a local setting 
> only and looking at the docs I can't see another way to set some "ID" of 
> some sort to be able to distinguish between overlapping/identical 
> traffic selectors. Am I missing something here or is this the only 
> possible workaround?

The labeled-ipsec branch might be of interest to you (still experimental 
and undergoing some major changes in the near future).  In a non-SELinux 
mode (in the current branch just don't compile with --enable-selinux), 
the labels simply act as additional identifier/selector on the IKEv2 
layer when negotiating CHILD_SAs and selecting child configs.  This 
allows using the label like a transmitted mark/if_id.

Regards,
Tobias