Hi,
> Can it be said that each strongSwan "conn" definition always results
> in at least one kernel SA pair?
Yes.
> wondering if there is ever a case where strongSwan uses this technique
> of mapping multiple kernel policies to the same kernel SA pair when
> the kernel polices are the result of separate strongSwan "conn"
> definitions.
No, each conn definition results in a SA pair, the associated policies
use the SAs originating from the same conn definition. The reqid
parameter (as seen in ip xfrm state/policy, or the number between {} in
ipsec statusall) is used to map policies to SAs and vice versa.
Regards
Martin
_______________________________________________
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
