Hello Andreas, Thank you very much So, each "conn" corresponds to exactly one CHILD_SA Best Regards Mugur
-----Original Message----- From: Andreas Steffen [mailto:andreas.stef...@strongswan.org] Sent: dimanche 27 décembre 2009 14:42 To: ABULIUS, MUGUR (MUGUR) Cc: users@lists.strongswan.org; Pisano, Stephen G (Stephen); ROSSI, MICHEL MR (MICHEL); SCARAZZINI, FABRICE (FABRICE) Subject: Re: [strongSwan] Several TS on a same connection ABULIUS, MUGUR (MUGUR) wrote: > Andreas, Thank you again for responding. > > Indeed, the explanation concerning asymmetry for leftprotoport= and > rightprotoportin= is quite simple. > > Do you confirm that calling: "ipsec up net-net" on the 'net-net' > connection from your example will create IPsec SAs only corresponding > to "conn net-net" and to "conn host-host" (because specified by > also=host-host), but connections "conn proto1" and "conn proto2" are > not started yet? > If you use the option auto=start then all three tunnels are started automatically when the daemon starts up with ipsec start, with the first connection establishing the IKE_SA. With the option auto=add you must start all tunnels manually: ipsec up net-net ipsec up proto1 ipsec up proto2 The connection host-host is not instantiated because auto=add is missing and the default auto=ignore is assumed. > If this is true, then the CHILD_SAs created at this stage (after the > first "ipsec up") cover all protocols between specified subnets > (because proto1 & proto2 are not started). Then, when proto1 and > proto2 are started the traffic is narrowed down to specified protocols > (via a rekeying of CHILD_SAs??). Do you confirm? > Actually I chose different subnets 10.5.0.0/16 and 10.6.0.0/16 for connections proto1 and proto2. But if the same subnets would be used for proto1, proto2, and net-net, then http traffic would used the IPsec SAs set up by proto1, smtp traffic the IPsec SAs set up by proto2, and the remaining traffic would use the IPsec SAs set up by net-net. > If this is confirmed, then IPsec-ed traffic depends, when using > 'also=', on the order of calling "ipsec up" and requires that both > ends of the tunnel to start-up connections on the same order. > As you can see from the example above, the order does not matter. The kernel always ties to achieve a closest match between payload traffic and the existing IPsec policies. > Best Regards Mugur Kind regards Andreas ====================================================================== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]== _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
