[strongSwan-dev] patch proposal: ignore acquire

Tobias Brunner tobias at strongswan.org
Mon Oct 5 18:20:35 CEST 2015


Hi Emeric,

> I guess you are not interested by the "ignore_acquire" approach?

Not really.  Drop policies are exactly for this purpose, while trap
policies are to trigger IKE/IPsec SAs, not to drop traffic.  Ignoring
acquires makes not much sense, in particular because the kernel's
behavior is quite different when traffic matches a trap policy.  The
kernel might create a temporary SA and cache packets until the SA is
established, so that could require lots of resources if the other peer
does not establish the connection for a while.  And depending on the OS
settings and the traffic the kernel might send lots of acquires to the
daemon (for instance, on FreeBSD the default is to trigger an acquire
every 10th packet, see net.key.blockacq_count).

> The only drawback is that we have to manually add a "drop" connection for each "responder only" connection.

Using the `also` keyword you could simplify this and avoid having to
duplicate the traffic selector definition (e.g. define left|rightsubnet
in the "drop" connection and include it in the "responder" connection
and override/add settings appropriately).

Regards,
Tobias



More information about the Dev mailing list