<div dir="ltr">Hi All,<div><br></div><div><pre style="white-space:pre-wrap;color:rgb(0,0,0)">Can anyone let me know your inputs for this query ?</pre><pre style="white-space:pre-wrap;color:rgb(0,0,0)">Thanks</pre><pre style="white-space:pre-wrap;color:rgb(0,0,0)"><span style="font-family:arial,sans-serif;color:rgb(34,34,34)">Mahendra</span></pre></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Jan 18, 2016 at 2:01 AM, Mahendra SP <span dir="ltr"><<a href="mailto:mahendra.sp@gmail.com" target="_blank">mahendra.sp@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi, Thank you for the inputs. <div><br></div><div>We are planning to use freebsd n/w stack + strongswan. Can we still control the IPsec per interface in the kernel using the above mentioned sysctl values ? </div><div><br></div><div>The above sysctl values are for controlling the IPsec state per interface at the kernel level. How about the policy ? Does strongswan provide options to configure rules per interface? I looked at the strongswan man pages and didn't find any. </div><div><br></div><div>Please let me know your thoughts.</div><div><br></div><div>Thanks</div><span class="HOEnZb"><font color="#888888"><div>Mahendra</div></font></span></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Jan 13, 2016 at 3:40 PM, Noel Kuntze <span dir="ltr"><<a href="mailto:noel@familie-kuntze.de" target="_blank">noel@familie-kuntze.de</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br>
-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA256<br>
<br>
Hello Mahendra,<br>
<br>
Charon is only the keying daemon.<br>
Setting "charon.interfaces_ignore" or charon.interfaces_use"only defines the list of interfaces<br>
whose IPs are listened on by charon or not.<br>
The kernel takes care of the traffic. If you want to disable XFRM policies on an interface, then you need to<br>
disable XFRM and policy on that interface. Those are the following sysctl values:<br>
<br>
net.ipv4.conf.<interface>.disable_policy<br>
net.ipv4.conf.<interface>.disable_xfrm<br>
<br>
Set them to 1 to disable IPsec processing on that interface.<br>
<br>
- --<br>
<br>
Mit freundlichen Grüßen/Kind Regards,<br>
Noel Kuntze<br>
<br>
GPG Key ID: 0x63EC6658<br>
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658<br>
<br>
-----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG v2<br>
<br>
iQIcBAEBCAAGBQJWliJ5AAoJEDg5KY9j7GZY18QQAJkPB3PCzJfQ0WPLzfHcNX9m<br>
/QQQdIjz9RWQjBrBOzMxdnPA816xLQ5JLmjdOFpJy3RE7WM/upsJLB+CDMyYMy1t<br>
oQGzAWthL1DqYyWrJthfKKihSHmQAo3cKI4EE6uhis60ZjoRyGNH0dao1PjYA+uC<br>
mZ96nProY/xi7xxhiQnSRLYlwwb/wSVOFSo4U/j3vgpljUIgPueFXovewW8adbuN<br>
kPwvhgZ/HihO6pkcZQnk1zbCUBuwdFoRV+5Gj1zNW0+UKhKSTXmuOZJit8Y0TM8P<br>
qYLDFoeYO7Xg+XiXZ0Y7qzv5OF7RQVeQnDs86MElr6128XZ5ghU2zgzdkm/lmEmH<br>
0SvXfM8Afc0raJdtuo4YvSnIEp85n5RGVh79BcG8ss4TwnoTrGEInYL4QyVkm6FA<br>
+vt6IZNCC5UeTMRq7XgN8jBKxTBxXy6eoRe/1vJrDLplp4i0+ZddN5Md1wKK2cx6<br>
lJpeGgQNFuOOy/rp5CRID1RbJZNDywv1ZDUN6xhR1FO04eG8XL5LBDEHoZQRpFi0<br>
UpnAkGPBa04d4C+CeS+lQbW5LvR3KlQi2lxnxDt2gm7dSXt2kB9ssXNo2Qa1ZDwY<br>
qguqYkdh4/2ADG+gP98t1KdFmnbUSo/IIElmVutkHvm/Xtj4M9CdTfPilr3UxPkV<br>
6PCTUv2rh4SYJc7m0dIs<br>
=QXjV<br>
-----END PGP SIGNATURE-----<br>
<br>
</blockquote></div><br></div>
</div></div></blockquote></div><br></div>