[strongSwan] Running dual instances of strongswan

T Cheung tccheung1 at gmail.com
Thu Sep 13 00:20:45 CEST 2012

Hi Tobias,

It's good to know that there is the installpolicy option.  Even though
I cannot use it, I can probably check
out how it is implemented.  There are other questions that remained
and related to kernel side.
Here they are:

1) Is my assumption correct?  Do I need the policies to control
routing?  I am talking about where
there are multiple subnets values in the left|rightsubnet parameters
so that packets can be routed
thru the tunnel.

2) About kernel interface plugin, I could write my own, but I still
need policies to be in the standard
place so standard routing would work, if assumptions in 1) are
correct.  So I may not need to write
my own plugin, but rather just change the default kernel behavior by
installing the policies and
not SAs.  The question then is what will happen to the packets
(especially from sending size)?
Will kernel try to encrypt them but not be able to find SAs?  I am
guessing I need to change
kernel to ignore SAs and send the packet on anyway?


On Wed, Sep 12, 2012 at 1:47 AM, Tobias Brunner <tobias at strongswan.org> wrote:
> Hi Terry,
>> What's the best way
>> to turn off linux IPsec while still running strongswan?  Is there a
>> switch somewhere,or maybe
>> just not adding SAs to the kernel?  We still need the policies because
>> routing decisions still depend on them.
> There is an ipsec.conf option (installpolicy) to disable the
> installation of IPsec policies (used with MIPv6), but there is currently
> no option that prevents the installation of IPsec SAs.
> Of course, you could write your own kernel interface plugin (an
> implementation of the kernel_ipsec_t interface) which would handle the
> installation of SAs and policies just the way you require it.  Have a
> look at the existing kernel plugins in libhydra.
> Regards,
> Tobias

More information about the Users mailing list