[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

isakmpd - multiple IPSec SAs for single ISAKMP SA

I have been experimenting with isakmpd on Linux 2.6. I would like to do the following: For two nodes that have more than one IP address, establish a single ISAKMP security association which can then be used to protect the negotiation of multiple IPsec security associations. For example, if the first host has IP addresses A and B, and the second has A' and B', I would like to establish a single ISAKMP SA, say between A and B, and then use that to negotiate an IPsec SA between A and A', and another one between B and B'. In trying to do this, I have found that separate IPsec SPI's are not being allocated by the initiator nor the responder because the IP addresses used in the ISAKMP SA negotiation are what are being passed to the kernel when an SPI is requested.

Should the above setup be possible to do, or must the IP addresses used for the ISAKMP negotiation also match the IP addresses specified in the <IPsec-connection> section? Thanks.