[strongSwan] Strongswan 4.5.1 sqlite database passthrough

Andreas Steffen andreas.steffen at strongswan.org
Wed Jun 29 07:43:24 CEST 2011

Bonjour Fabrice,

strongswan-4.5.3dr6 with shunt policy support is available from


There is an example scenario based on ipsec.conf


where PASS policies are defined with type=pass and DROP policies
with type=drop. Authentication should be set to either 'authby=never'
or 'right|leftauth=any', but this actually doesn't matter as long as

A second example stores its configuration in an SQLite database


As the SQL dump


shows, the peer_config should have its auth_method set to 0

INSERT INTO peer_configs (
  name, ike_cfg, local_id, remote_id, auth_method, mobike, dpd_delay
  'shunts', 2, 7, 7, 0, 0, 0

and local_id/remote_id should preferably be set to %any

INSERT INTO identities (
  type, data
) VALUES ( /* %any */
  0, '%any'

as well as left as left/right in the ike_config

INSERT INTO ike_configs (
  local, remote
  '%any', '%any'

The mode of a PASS policy is 4 and the start_action should be
1 for route:

INSERT INTO child_configs (
  name, mode, start_action
  'local-net', 4, 1

whereas the mode of a DROP policy is 5

INSERT INTO child_configs (
  name, mode, start_action
  'venus-icmp', 5, 1

And do not forget to set install_routes = yes in strongswan.conf


Best regards


On 06/28/2011 12:14 PM, CETIAD - Fabrice Barconnière wrote:
> Hello Andreas
> Thanks for all what you do.
> I wait for this.
> Regards
> Fabrice
> Le 28/06/2011 11:04, Andreas Steffen a écrit :
>> Hello Fabrice,
>> probably today I'm going to release a strongSwan snapshot with
>> integrated PASS and DROP shunt policies support. These policies
>> can be configured either via ipsec.conf or an SQL database.
>> So just have a little patience.
>> Best regards
>> Andreas

Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)

More information about the Users mailing list