Hi, > Can it be said that each strongSwan "conn" definition always results > in at least one kernel SA pair?
Yes. > wondering if there is ever a case where strongSwan uses this technique > of mapping multiple kernel policies to the same kernel SA pair when > the kernel polices are the result of separate strongSwan "conn" > definitions. No, each conn definition results in a SA pair, the associated policies use the SAs originating from the same conn definition. The reqid parameter (as seen in ip xfrm state/policy, or the number between {} in ipsec statusall) is used to map policies to SAs and vice versa. Regards Martin _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users