[strongSwan-dev] patch proposal: ignore acquire
Tobias Brunner
tobias at strongswan.org
Mon Oct 5 16:22:12 CEST 2015
Hi Emeric,
> conn "test PASS"
> leftsubnet=192.168.120.0/24
> rightsubnet=192.168.110.0/24
> auto=route
> type=passthrough
> authby=never
This should be drop, not passthrough.
> I see at least two problems:
> - Why do the additional policies are not installed in the kernel? Only the refcount are updated?
There should not be any additional policies, but the existing policies
should get updated with the new information (like reqids etc.).
> - I'm not sure FreeBSD can handle SP priority? We are using FreeBSD 9.3.
The policies are used internally in the plugin to decide which
SA/information should be associated with the policies.
Since passthrough policies have a higher priority than IPsec policies
the installed policies are not updated, try with type=drop.
Regards,
Tobias
More information about the Dev
mailing list