mirror of
https://github.com/strongswan/strongswan.git
synced 2025-10-06 00:00:47 -04:00
7c5a2974b9
For documentation purposes the new folders ikev1-algs, ikev2-algs, ikev1-multi-ca and ikev2-multi-ca have been created. Most of the test cases have now been converted to the vici interface. The remaining legacy stroke scenarios yet to be converted have been put into the ikev2-stroke-bye folder. For documentation purposes some legacy stroke scenarios will be kept in the ikev1-stroke, ikev2-stroke and ipv6-stroke folders.
14 lines
786 B
Plaintext
Executable File
14 lines
786 B
Plaintext
Executable File
A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b>
|
|
is set up using childless initiation of IKEv2 SAs (RFC 6023).
|
|
<p/>
|
|
The IKE_SA is established without CHILD_SA during IKE_AUTH. Instead, the
|
|
CHILD_SA is created right afterwards with a CREATE_CHILD_SA exchange, allowing
|
|
the use of a separate DH exchange for the first CHILD_SA, which is not possible
|
|
if it is created during IKE_AUTH.
|
|
<p/>
|
|
The authentication is based on <b>X.509 certificates</b>. Upon the successful
|
|
establishment of the IPsec tunnel, the updown script automatically
|
|
inserts iptables-based firewall rules that let pass the tunneled traffic.
|
|
In order to test both tunnel and firewall, client <b>alice</b> behind gateway
|
|
<b>moon</b> pings client <b>bob</b> located behind gateway <b>sun</b>.
|