Thank you Dirk for your answer, But what about ikev1 connections? I think using multiple subnets in one connection is acceptable in ikev2. If I'm wrong, correct me please.
I use "reuse_ikesa = no" for a while and I have no problem, but in the last week, I started to work with hearbeat service from linux-ha, and in the failover occasions, after i bring up the virtual ip address related service (I have written) for ipsec, I had a few problems to bring up some tunnels. But when I use "reuse_ikesa = yes", the problems solved. Best regards Ali On Mon, Jan 7, 2013 at 2:52 PM, Dirk Hartmann <[email protected]> wrote: > Hi Ali, > > --On Monday, January 07, 2013 02:39:55 PM +0330 Ali Masoudi > <[email protected]> wrote: > >> I have a simple question, and I would be grateful if anyone could >> answer it. >> >> If we want to establish multiple tunnels between two endpoints, is it >> recommended to use "reuse_ikesa = no" option in strongswan.conf. >> >> I figured it in my tests that it is better to use the default config. >> Am I right? What is the application of reuse_ikesa option? Thanks a >> lot. > > if you set reuse_ikesa = no there will be a new IKE_SA for every > CHILD_SA. > > Normally it is ok to have one IKE_SA with more CHILD_SAs. > Handling is a little bit easier if you want to stop/start single > CHILD_SAs. > > Do the different tunnels run to the same net on one side? Then you > could enable them in a single tunnel. > Example: > rightsubnet= 192.168.1.0/25 > leftsubnet=10.0.0.0/8,172.16.1.0/24,172.16.2.0/24,172.31.0.0/16 > > Best Regards > Dirk > > > _______________________________________________ > Users mailing list > [email protected] > https://lists.strongswan.org/mailman/listinfo/users _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
