Hello Mugur,
it does not matter if you define each tunnel between two
peers independently or if you use conn %default or an also=
construct to save typing work. All tunnels, i.e. a definition
of traffic selectors are grouped under the same IKE_SA
which is going to be established between the two peers.
The IKEv2 charon daemon allows the enumeration of several
traffic selectors for the same CHILD_SA using left|rightsubnet:
leftsubnet=10.1.0.0/16,10.3.0.0/16
rightsubnet=10.2.0.0/16,10.4.0.0/16
will establish the following four IPsec SAs with a single CHILD_SA:
10.1.0.0/16 - 10.2.0.0/16
10.1.0.0/16 - 10.4.0.0/16
10.3.0.0/16 - 10.2.0.0/16
10.3.0.0/16 - 10.4.0.0/16
Currently traffic selectors with protocol/port restrictions
using the left|rightprotoport parameters cannot be
grouped together in a single CHILD_SA. You will have to define
a separate conn description for each protocol/port combination
resulting in a separate CHILD_SA exchange. Thus the example
conn net-net
also=host-host
leftsubnet=10.1.0.0/16,10.3.0.0/16
rightsubnet=10.2.0.0/16,10.4.0.0/16
auto=start
conn proto1
also=host-host
leftsubnet=10.5.0.0/16
rightsubnet=10.5.0.0/16
leftprotoport=tcp
rightprotoport=tcp/http
auto=start
conn proto2
also=host-host
leftsubnet=10.5.0.0/16
rightsubnet=10.5.0.0/16
leftprotoport=tcp
rightprotoport=tcp/smtp
auto=start
conn host-host
left=<IP address of left>
right=<IP address of right>
would create six IPsec SAs between left and right, using a primary
IKE_AUTH and two additional CHILD_SA exchanges.
Best regards
Andreas
ABULIUS, MUGUR (MUGUR) wrote:
> Hello,
>
> I looked to strongSwan connection parameters
> (http://wiki.strongswan.org/wiki/1/ConnSection) and I am not sure how
> to define several tunnels between the same endpoints, each tunnel
> with several traffic selectors.
>
> In my understanding an independent tunnel is defined by a "conn
> <name>" directive with the condition that its body does not contain
> an "also = <section name>" directive.
>
> Now, I want, for each tunnel to include several traffic selectors;
> i.e. several "left|rightprotoport = <protocol>/<port>" and several
> "left|rightsubnet = <ip subnet>".
>
> Moreover I want to combine traffic selectors in a specific way for a
> same connection. For example to specify somehow
>
> leftprotoport=icmp ONLY for leftsubnet= 192.168.10.0/24 and
> leftprotoport=UDP ONLY for leftsubnet= 172.16.10.0/24
>
> Can you please specify which are all possibilities of using the IKEv2
> extended traffic selector concept with strongSwan.
>
> Thank you Mugur
======================================================================
Andreas Steffen [email protected]
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users
