Hi, > But I actually wanted this as a separate SA which can be enabled > disabled separately.
You can initiate/terminate specific CHILD_SAs using curly brackets, e.g. ipsec down connxy{}. > And just wanted to know what is the criteria for deciding that a > config should be a child of another one ? Configurations from ipsec.conf get merged if the IKE_SA specific parameters match (i.e. identities and addresses). To initiate each CHILD_SA in a seperate IKE_SA, you may specify the strongswan.conf option charon.reuse_ikesa = no. Regards Martin _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users