[strongSwan-dev] patch proposal: ignore acquire

Tobias Brunner tobias at strongswan.org
Mon Oct 5 14:45:10 CEST 2015


Hi Emeric,

> My proposal is to add an "ignore_acquire" parameter, set by per connection.
> If set, the acquire messages are just discarded.

My recommendation would be to install a drop policy for the same traffic
selector and to use auto=add for the actual connection.  In recent
releases drop policies are always installed with a lower priority than
IPsec policies or passthrough policies, so traffic will be blocked until
the IPsec connection is established (and again when it is torn down),
but not while it is established.

This should work fine with the kernel-pfkey plugin, however, the reqid
check in the kernel-netlink plugin currently prevents this from working
if the traffic selectors are exactly the same for the drop and IPsec
policy.  Since shunt policies have no reqid associated with them we
might make an exception for these, though.  I've updated the
policy-del-ext branch to support this.

Regards,
Tobias



More information about the Dev mailing list