Pfsense ipsec advanced

Aus Xinux Wiki
Zur Navigation springen Zur Suche springen

Phase 2 auf einzelne Connections trennen

  • Haken bei "Split Connections" setzen

Pfsense-ipsec-split.png

Original Definition

  • (IKEv2 Only) By default when an IKEv2 tunnel has multiple phase 2 definitions the settings are collapsed in the IPsec configuration such that all phase 2 combinations are held in a single child SA.
  • Split Connections changes this behavior to be more like IKEv1 where each phase 2 entry is configured by the daemon as its own separate child SA.
  • Certain scenarios require this behavior, such as:
    • The remote peer does not properly handle multiple addresses in single traffic selectors. This is especially common in Cisco, Checkpoint, Fortinet, and Juniper equipment.
    • Each child SA must have unique traffic selector or proposal settings. This could be due to the peer only allowing specific combinations of local/remote subnet pairs or different encryption options for each child SA.
Abgerufen von „http://wiki.ixheim.de/index.php?title=Pfsense_ipsec_advanced&oldid=36258