[strongSwan-dev] patch proposal: ignore acquire

Tobias Brunner tobias at strongswan.org
Mon Oct 5 16:22:12 CEST 2015

Hi Emeric,

> conn "test PASS"
>         leftsubnet=
>         rightsubnet=
>         auto=route
>         type=passthrough
>         authby=never

This should be drop, not passthrough.

> I see at least two problems:
> - Why do the additional policies are not installed in the kernel? Only the refcount are updated?

There should not be any additional policies, but the existing policies
should get updated with the new information (like reqids etc.).

> - I'm not sure FreeBSD can handle SP priority? We are using FreeBSD 9.3.

The policies are used internally in the plugin to decide which
SA/information should be associated with the policies.

Since passthrough policies have a higher priority than IPsec policies
the installed policies are not updated, try  with type=drop.


More information about the Dev mailing list