[strongSwan] kernel SPD policy not installed until successful IKE negotiation completes

Alexander Lyakas alex.bolshoy at gmail.com
Wed Mar 7 14:28:51 CET 2012

Thanks, Tobias!

I ended up specifying "auto=route" and then calling "ipsec whack
--initiate --name <name> --asynchronous" to immediately kick the
initial negotiation.

It would be good if "auto" could have an option to both install the
policy and initiate negotiation (both "route" and "start"). I guess
this is not possible right now, isn't it?


On Wed, Mar 7, 2012 at 11:53 AM, Tobias Brunner <tobias at strongswan.org> wrote:
> Hi Alex,
>> Is there a way to instruct strongswan to install the security policy
>> right upon starting?
> Try auto=route.  This installs the policies right away and if traffic
> matches them the daemon will try to setup the appropriate IKE/IPsec SAs.
> The installpolicy option is intended for MIPv6 where the policies are
> not managed by the IKE daemon.
> Regards,
> Tobias

More information about the Users mailing list