ABULIUS, MUGUR (MUGUR) wrote: > Hello Andreas, > > Thank you for your help. > > From your answer I conclude that between two peers at most one IKE_SA > (= at most one IPsec tunnel) can be created regardless how multiple > "conn" directives are specified (with or without %default or > 'also='). > Yes, this is true. But you can execute e.g.
ipsec up net-net several times and multiple IPsec SAs for the same traffic selectors are created. Usually only the last-created SA is actually used for traffic, though. On of our pending projects intends to create multiple tunnels for different QoS classes but this would require some fundamental changes in the Linux kernel. > I don't really understand the asymmetry of values for > leftprotoport=tcp and rightprotoportin=tcp/http in your example. My > understanding of the example is that all tcp packets from local > (=left) to remote (=right) are tunneled but only http packets from > remote to local are tunneled. Is my assumption correct? > The explanation is quite simple: If an application wants to reach a service under a well-known port (e.g. 80 for http or 25 for smtp) then the source port will be an arbitrary higher port which we cannot predict. Therefore we include all possible TCP or UDP ports since port range restrictions are not currently supported by the Linux kernel. > In this case which data flows (subnets and protos) are exactly > protected by the first CHILD_SA and which by the second CHILD_SA? > The first CHILD_SA would set up the IPsec SA for the following policy: 10.5.0.0/16[tcp/0] .. 10.6.0.0/16[tcp/http] and the second: 10.5.0.0/16[tcp/0] .. 10.6.0.0/16[tcp/smtp] Actually there was a copy-and-paste error in my previous email. rightsubnet was supposed to be 10.6.0.0/16. Best regards Andreas > Best Regards Mugur > > > -----Original Message----- From: Andreas Steffen > [mailto:[email protected]] Sent: samedi 26 décembre 2009 > 14:48 To: ABULIUS, MUGUR (MUGUR) Cc: [email protected] > Subject: Re: [strongSwan] Several TS on a same connection > > Hello Mugur, > > it does not matter if you define each tunnel between two peers > independently or if you use conn %default or an also= construct to > save typing work. All tunnels, i.e. a definition of traffic selectors > are grouped under the same IKE_SA which is going to be established > between the two peers. > > The IKEv2 charon daemon allows the enumeration of several traffic > selectors for the same CHILD_SA using left|rightsubnet: > > leftsubnet=10.1.0.0/16,10.3.0.0/16 > rightsubnet=10.2.0.0/16,10.4.0.0/16 > > will establish the following four IPsec SAs with a single CHILD_SA: > > 10.1.0.0/16 - 10.2.0.0/16 10.1.0.0/16 - 10.4.0.0/16 10.3.0.0/16 - > 10.2.0.0/16 10.3.0.0/16 - 10.4.0.0/16 > > Currently traffic selectors with protocol/port restrictions using the > left|rightprotoport parameters cannot be grouped together in a single > CHILD_SA. You will have to define a separate conn description for > each protocol/port combination resulting in a separate CHILD_SA > exchange. Thus the example > > conn net-net also=host-host leftsubnet=10.1.0.0/16,10.3.0.0/16 > rightsubnet=10.2.0.0/16,10.4.0.0/16 auto=start > > conn proto1 also=host-host leftsubnet=10.5.0.0/16 > rightsubnet=10.5.0.0/16 leftprotoport=tcp rightprotoport=tcp/http > auto=start > > conn proto2 also=host-host leftsubnet=10.5.0.0/16 > rightsubnet=10.5.0.0/16 leftprotoport=tcp rightprotoport=tcp/smtp > auto=start > > conn host-host left=<IP address of left> right=<IP address of right> > > would create six IPsec SAs between left and right, using a primary > IKE_AUTH and two additional CHILD_SA exchanges. > > Best regards > > Andreas > > ABULIUS, MUGUR (MUGUR) wrote: >> Hello, >> >> I looked to strongSwan connection parameters >> (http://wiki.strongswan.org/wiki/1/ConnSection) and I am not sure >> how to define several tunnels between the same endpoints, each >> tunnel with several traffic selectors. >> >> In my understanding an independent tunnel is defined by a "conn >> <name>" directive with the condition that its body does not contain >> an "also = <section name>" directive. >> >> Now, I want, for each tunnel to include several traffic selectors; >> i.e. several "left|rightprotoport = <protocol>/<port>" and several >> "left|rightsubnet = <ip subnet>". >> >> Moreover I want to combine traffic selectors in a specific way for >> a same connection. For example to specify somehow >> >> leftprotoport=icmp ONLY for leftsubnet= 192.168.10.0/24 and >> leftprotoport=UDP ONLY for leftsubnet= 172.16.10.0/24 >> >> Can you please specify which are all possibilities of using the >> IKEv2 extended traffic selector concept with strongSwan. >> >> Thank you Mugur ====================================================================== Andreas Steffen [email protected] strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]==
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
