[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

IPsec from native KAME in 2.6 kernel to FreeS/WAN on 2.4


I have the central security gateway ("server") with FreeS/WAN v2.06 and
a number of client security gateways with the same FreeS/WAN on its.
Between the server and client gateways exists more then one tunnel
having the same endpoints. For example, for scheme

net1/24 == gw1 ... gw2 == (serv1 & serv2)

I've 2 tunnels: net1/24 <-> serv1 and net1/24 <-> serv2, both having the
same endpoints: gw1 and gw2.

When FreeS/WAN start these connections it create a "IPsec SA" *for*
*each* and work then with its. I think it's implementation feature.

But native 2.6 IPsec use one common "IPsec SA" for each tunnel sharing
common endpoint IPs and policies. And when I use on client gateway linux
2.6 with КАМЕ, only first IPsec connection work as expected. Racoon and
Pluto setup "IPsec SA" for this tunnel. But when some trafic from
net1/24 want to go to serv2, kernel on client gateway try to use
existing SA but FreeS/WAN don't have "IPsec SA" established for *this*
connection and trafic can't go.

Is it possible to inform FreeS/WAN use existing "IPsec SA" for others
connection through the same gateway? Or there are other soulutions exist?


Reply to: