Hello Andreas, Thank you for your help.
>From your answer I conclude that between two peers at most one IKE_SA (= at >most one IPsec tunnel) can be created regardless how multiple "conn" >directives are specified (with or without %default or 'also='). I don't really understand the asymmetry of values for leftprotoport=tcp and rightprotoportin=tcp/http in your example. My understanding of the example is that all tcp packets from local (=left) to remote (=right) are tunneled but only http packets from remote to local are tunneled. Is my assumption correct? In this case which data flows (subnets and protos) are exactly protected by the first CHILD_SA and which by the second CHILD_SA? Best Regards Mugur -----Original Message----- From: Andreas Steffen [mailto:[email protected]] Sent: samedi 26 décembre 2009 14:48 To: ABULIUS, MUGUR (MUGUR) Cc: [email protected] Subject: Re: [strongSwan] Several TS on a same connection Hello Mugur, it does not matter if you define each tunnel between two peers independently or if you use conn %default or an also= construct to save typing work. All tunnels, i.e. a definition of traffic selectors are grouped under the same IKE_SA which is going to be established between the two peers. The IKEv2 charon daemon allows the enumeration of several traffic selectors for the same CHILD_SA using left|rightsubnet: leftsubnet=10.1.0.0/16,10.3.0.0/16 rightsubnet=10.2.0.0/16,10.4.0.0/16 will establish the following four IPsec SAs with a single CHILD_SA: 10.1.0.0/16 - 10.2.0.0/16 10.1.0.0/16 - 10.4.0.0/16 10.3.0.0/16 - 10.2.0.0/16 10.3.0.0/16 - 10.4.0.0/16 Currently traffic selectors with protocol/port restrictions using the left|rightprotoport parameters cannot be grouped together in a single CHILD_SA. You will have to define a separate conn description for each protocol/port combination resulting in a separate CHILD_SA exchange. Thus the example conn net-net also=host-host leftsubnet=10.1.0.0/16,10.3.0.0/16 rightsubnet=10.2.0.0/16,10.4.0.0/16 auto=start conn proto1 also=host-host leftsubnet=10.5.0.0/16 rightsubnet=10.5.0.0/16 leftprotoport=tcp rightprotoport=tcp/http auto=start conn proto2 also=host-host leftsubnet=10.5.0.0/16 rightsubnet=10.5.0.0/16 leftprotoport=tcp rightprotoport=tcp/smtp auto=start conn host-host left=<IP address of left> right=<IP address of right> would create six IPsec SAs between left and right, using a primary IKE_AUTH and two additional CHILD_SA exchanges. Best regards Andreas ABULIUS, MUGUR (MUGUR) wrote: > Hello, > > I looked to strongSwan connection parameters > (http://wiki.strongswan.org/wiki/1/ConnSection) and I am not sure how > to define several tunnels between the same endpoints, each tunnel with > several traffic selectors. > > In my understanding an independent tunnel is defined by a "conn > <name>" directive with the condition that its body does not contain an > "also = <section name>" directive. > > Now, I want, for each tunnel to include several traffic selectors; > i.e. several "left|rightprotoport = <protocol>/<port>" and several > "left|rightsubnet = <ip subnet>". > > Moreover I want to combine traffic selectors in a specific way for a > same connection. For example to specify somehow > > leftprotoport=icmp ONLY for leftsubnet= 192.168.10.0/24 and > leftprotoport=UDP ONLY for leftsubnet= 172.16.10.0/24 > > Can you please specify which are all possibilities of using the IKEv2 > extended traffic selector concept with strongSwan. > > Thank you Mugur ====================================================================== Andreas Steffen [email protected] strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]== _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
