Hello,
I looked to strongSwan connection parameters
(http://wiki.strongswan.org/wiki/1/ConnSection) and I am not sure how to define
several tunnels between the same endpoints, each tunnel with several traffic
selectors.
In my understanding an independent tunnel is defined by a conn name
Hello Mugur,
it does not matter if you define each tunnel between two
peers independently or if you use conn %default or an also=
construct to save typing work. All tunnels, i.e. a definition
of traffic selectors are grouped under the same IKE_SA
which is going to be established between the two
Hello Andreas,
Thank you for your help.
From your answer I conclude that between two peers at most one IKE_SA (= at
most one IPsec tunnel) can be created regardless how multiple conn
directives are specified (with or without %default or 'also=').
I don't really understand the asymmetry of
Hi Andreas Schuldei,
I guess that IKE traffic on port 500 is never protected by ESP because
it has its own protection which is the IKE SA. So don't worry about IKE
traffic.
Regarding ssh I do understand the problem. What you might want to try
out is a passthrough setup like the one described
ABULIUS, MUGUR (MUGUR) wrote:
Hello Andreas,
Thank you for your help.
From your answer I conclude that between two peers at most one IKE_SA
(= at most one IPsec tunnel) can be created regardless how multiple
conn directives are specified (with or without %default or
'also=').
Yes, this
Andreas,
I have a concern regarding QoS and your statement:
---One of our pending projects intends to create multiple tunnels for
different QoS classes but this would require some fundamental changes in the
Linux kernel. (Do you have a roadmap for this?). ---
This suggests that using
Hello Mugur,
currently the Linux kernel copies the TOS field from the
encapsulated IP packets into the IP header of the ESP packet.
Thus routers can treat the QoS classes differently. Problems
may arise in the presence of large congestion where ESP packets
with low QoS priority are delayed more
Hello Andreas,
Do you have any plan to allow for more than one IKE_SA between two peers? This
may help for enhanced QoS class management.
Best Regards
Mugur
-Original Message-
From: Andreas Steffen [mailto:andreas.stef...@strongswan.org]
Sent: samedi 26 décembre 2009 18:59
To: ABULIUS,
Dear friends,
I invested into several Omnikey 3121 CardMan USB readers
and I started a HOWTO about smartcards:
http://wiki.strongswan.org/wiki/strongswan/SmartCards
The HOWTO is based on a previous HOWTO (see acknowledgments).
Here are my questions:
* I would like to invest in a secure reader