[strongSwan-dev] patch proposal: ignore acquire
Emeric POUPON
emeric.poupon at stormshield.eu
Mon Oct 5 17:47:16 CEST 2015
Ok my bad! Indeed it works fine like that :)
The only drawback is that we have to manually add a "drop" connection for each "responder only" connection.
This does not make debugging easier for setups with a large amount of connections.
I guess you are not interested by the "ignore_acquire" approach?
Best Regards,
Emeric
----- Mail original -----
De: "Tobias Brunner" <tobias at strongswan.org>
À: "Emeric POUPON" <emeric.poupon at stormshield.eu>
Cc: dev at lists.strongswan.org
Envoyé: Lundi 5 Octobre 2015 16:22:12
Objet: Re: [strongSwan-dev] patch proposal: ignore acquire
Hi Emeric,
> conn "test PASS"
> leftsubnet=192.168.120.0/24
> rightsubnet=192.168.110.0/24
> auto=route
> type=passthrough
> authby=never
This should be drop, not passthrough.
> I see at least two problems:
> - Why do the additional policies are not installed in the kernel? Only the refcount are updated?
There should not be any additional policies, but the existing policies
should get updated with the new information (like reqids etc.).
> - I'm not sure FreeBSD can handle SP priority? We are using FreeBSD 9.3.
The policies are used internally in the plugin to decide which
SA/information should be associated with the policies.
Since passthrough policies have a higher priority than IPsec policies
the installed policies are not updated, try with type=drop.
Regards,
Tobias
More information about the Dev
mailing list