[strongSwan] Specifying kernel policy priority in ipsec.conf file

divya mohan m.divya.mohan at zoho.com
Mon Aug 11 08:12:12 CEST 2014


Hi,

Even with latest stronsgwan version (for IKEv2), the internal
calculation for kernel policy priority (based on source/destination
mask/port, protocol etc), is not helping for fine tuning the
priorities.

Also, the priority getting modified once CHILD_SA is established makes
it difficult for the user to manipulate connections which have
overlapping policies.

[ Discussed here:
https://lists.strongswan.org/pipermail/users/2014-July/006346.html ]

Was the idea of specifying kernel policy priority per connection, in
the ipsec.conf file ever considered? (Cisco routers allow this.)
Could you please provide your opinion on whether you see any blocking
problems if such an attempt is made.

- Divya


More information about the Users mailing list