Hi all,
I used "Linux strongSwan U5.5.3/K3.16.0-4-amd64". I have two connexion definitions with 2 child SAs each. The first one come from ipsec.conf , the second is created via VICI: root@ipsec-gw:/usr/local/src# swanctl --list-conns default_cert1: IKEv2, reauthentication every 3420s, no rekeying local: %any remote: %any local public key authentication: id: u2agw.u2a.xyz remote public key authentication: default_cert1: TUNNEL, rekeying every 1020s local: 10.11.0.0/16 remote: dynamic default_cert: TUNNEL, rekeying every 1020s local: 10.10.0.0/16 remote: dynamic defautVici: IKEv2, no reauthentication, no rekeying local: 161.106.240.155 remote: %any local public key authentication: id: u2agw.u2a.xyz remote EAP_RADIUS authentication: eap_id: %any child1: TUNNEL, rekeying every 100s local: 1.1.1.1/32 10.0.0.0/8 remote: dynamic child2: TUNNEL, rekeying every 100s local: 2.2.2.5/32 remote: dynamic I setup tunnels and I observe that there is only one child ca for each connexion : one is not missing. root@ipsec-gw:/usr/local/src# swanctl --list-sas default_cert1: #6, ESTABLISHED, IKEv2, 9ced70a70cbacaea_i 394dc6781ed773a6_r* local 'u2agw.u2a.xyz' @ 161.106.240.155[4500] remote 'CN=max.min, OU=u2aUsers, DC=u2a, DC=xyz' @ 161.106.240.156[47841] [10.11.12.162] AES_CBC-128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256 established 6s ago, reauth in 3336s default_cert1: #5, reqid 3, INSTALLED, TUNNEL-in-UDP, ESP:AES_CBC-128/HMAC_SHA2_256_128 installed 5s ago, rekeying in 889s, expires in 1195s in c3d7921a, 336 bytes, 4 packets, 0s ago out e7757320, 336 bytes, 4 packets, 0s ago local 10.11.0.0/16 remote 10.11.12.162/32 defautVici: #4, ESTABLISHED, IKEv2, 927ad63611b5b535_i f7a4b615d62bfcd6_r* local 'u2agw.u2a.xyz' @ 161.106.240.155[4500] remote 'joe.bar' @ 161.106.240.156[42859] [10.11.12.151] AES_CBC-128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256 established 11s ago child1: #4, reqid 2, INSTALLED, TUNNEL-in-UDP, ESP:AES_CBC-128/HMAC_SHA2_256_128 installed 10s ago, rekeying in 80s, expires in 100s in c53f5289, 0 bytes, 0 packets out d0249916, 0 bytes, 0 packets local 1.1.1.1/32 10.0.0.0/8 remote 10.11.12.151/32 >From the documentation & mail exchanges on the list, I understand that >strongswan GW is supposed to handle multiple child sas. Do I miss something or this could be a kind of bug in last versions? thanks, Régis