[strongSwan] Strongswan 4.5.1 sqlite database passthrough

CETIAD - Fabrice Barconnière fabrice.barconniere at ac-dijon.fr
Mon Jun 27 10:09:36 CEST 2011

Hi Martin,

Thanks for your answers.

Le 24/06/2011 16:41, Martin Willi a écrit :
>> Is it possible to do that with traffic_selectors ans peer_configs
>> tables ?
> Yes, you can associate as many traffic_selectors using
> child_config_traffic_selector to child_configs as you need.
It's OK. We already do that.

>> In traffic_selectors table, fields to be filled are start_address and
>> end_address but you mean it must be network and broadcast addresses ?
> You can define ranges in the sql backend and negotiate them with IKEv2.
> Unfortunately, the Linux kernel supports full subnets only. Non-subnet
> ranges are mapped to the next matching subnet while installing the
> policies.
>> How can we have route exception ?
> You can't. But you could install the required routes manually, and
> disable automatic route installation by charon using strongswan.conf:
> charon {
> 	install_routes = no
> }
We use updown script for child_configs iptables rules. I've seen routes 
are not supported in IKEv2.
Is it possible to modify it and add/delete routes with iptables rules in 
up-client:) and down-client:) section ?
Otherwise, write a /etc/init.d/vpn script which calls /etc/init.d/ipsec 
script and add routes should work ?

> Regards
> Martin

More information about the Users mailing list