[strongSwan-dev] need for calling TASK_IKE_CONFIG before TASK_CHILD_CREATE in task_manager_v2.c

Martin Willi martin at strongswan.org
Thu Mar 5 14:54:27 CET 2015


> My understanding was ip address assignment to interface can happen
> later after child SA is negotiated with tunnel end point using the
> virtual ip stored in the Strongswan internal data structures.

No, this won't work. Negotiating the CHILD_SA installs IPsec SAs and
policies to the kernel, along with a source route to actually make use
of these policies. If the virtual IP is not installed to the kernel,
installing the source route is not possible.

Not sure what you want to achieve by deferring virtual IP installation,
but that won't work with the way strongSwan handles CHILD_SA setup.

Regards
Martin



More information about the Dev mailing list