-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hello Tarik,
No, you can just set one secret for all IKEv1 connections and then use different IDs for your different tunnels. For IKEv2, you can do it the same way as for IKEv1, but use different secrets. Why do you want different IKE SAs with IKEv2? You can have a virtually unlimited number of CHILD SAs for each IKE SA in IKEv2. Mit freundlichen Grüßen/Regards, Noel Kuntze GPG Key ID: 0x63EC6658 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 Am 07.01.2015 um 11:44 schrieb Tarik Demirci: > Hi Everyone, > > I have the requirement to establish multiple IKE-SA's between two > endpoints using pre-shared keys. My questions are: > > - Is it possible to do this with IKEv1? Wiki says secrets may become a > problem. Would it cause other problems if I use the same secret for > each IKE-SA? > Wiki says: "When using IKEv1 an additional complexity arises in the > case of authentication by preshared secret: the responder will need to > look up the secret before the Peer's ID payload has been decoded, so > the ID used will be the IP address."[1] > > - What is the best practice when using IKEv2? I think using different > left and rightids for each IKE-SA is way to go but I wonder if it's > appropriate to use ids for this purpose (I mean same endpoints). > > - Is there any caveat I should be aware of in this type of > configuration (both for IKEv1 and IKEv2)? > > Any help in this regard is appreciated. > > > > Regards, > Tarik. > > > [1] https://wiki.strongswan.org/projects/strongswan/wiki/IpsecSecrets -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJUrZmUAAoJEDg5KY9j7GZYsacP/RZaNwLCtlQvXxECI7cnusXX i4yBZA5U0Ry6GABsaPB90kTpXC+T4MYk6BzJlCUO4DGWMLHtXEnoNn2/IdB9R+uu 0p13w7vhpjrPw138U/ftzD8gnvmasACdGn618jtgIqcZ1TBi5cGVVJM+F+uq12L9 2KISXnBqPUChQtIFAWzW48Oc+jr8dEWkj6zLctn38r1HTqPp9xaFtsaddp0Xud61 2KBz6czX34Uyq/b5XClQleL5l/TWN8RGeds7pPyEeKpgewFxdMcSZS+P3lksovle cNJ/i/VJbogsmZURWBavGiaxkWESY5jz21wx+GrplArrFJ6cBytHedtHlXSB0LUq +KqAVyV8opzskvuoiDMVMx4FUlliZ1Ve+20/403N8HeFhT9yZRGPAJ8Xx3tLODfP U5POhoY9AkXDf4Q+ZENYRsXRtIy/UpDbPFX8bbVgm9wgyFE3/gfRZbzhdZwWonl5 EmyHD6IqT8oJLx92LmgJDH8iqBQjVf6YPN0L7gm6Vc8STesxmgCn65NzvOU91o+W /t2XmgwMhaa4rSFx+fXmahjEpLHKoS7ZKbX+ZEh5v6qbMADPG7joUoq7BQUI0fxY TEGVmg/0LD6tcDuEbJZ0s06LTbVTmSSnRWS4ImgV6NMg4YENnnc+/sll0VaXMUdj 1SRofnSbnnW2gLkZlwPl =yzxe -----END PGP SIGNATURE----- _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
