[strongSwan] Strongswan 4.5.1 sqlite database passthrough
CETIAD - Fabrice Barconnière
fabrice.barconniere at ac-dijon.fr
Mon Jun 27 10:09:36 CEST 2011
Hi Martin,
Thanks for your answers.
Le 24/06/2011 16:41, Martin Willi a écrit :
>> Is it possible to do that with traffic_selectors ans peer_configs
>> tables ?
> Yes, you can associate as many traffic_selectors using
> child_config_traffic_selector to child_configs as you need.
>
It's OK. We already do that.
>> In traffic_selectors table, fields to be filled are start_address and
>> end_address but you mean it must be network and broadcast addresses ?
> You can define ranges in the sql backend and negotiate them with IKEv2.
> Unfortunately, the Linux kernel supports full subnets only. Non-subnet
> ranges are mapped to the next matching subnet while installing the
> policies.
>
>> How can we have route exception ?
> You can't. But you could install the required routes manually, and
> disable automatic route installation by charon using strongswan.conf:
>
> charon {
> install_routes = no
> }
>
We use updown script for child_configs iptables rules. I've seen routes
are not supported in IKEv2.
Is it possible to modify it and add/delete routes with iptables rules in
up-client:) and down-client:) section ?
Otherwise, write a /etc/init.d/vpn script which calls /etc/init.d/ipsec
script and add routes should work ?
> Regards
> Martin
>
>
Regards
Fabrice
More information about the Users
mailing list