[strongSwan] 10[CFG] trap not found, unable to acquire reqid 10 and vici query

Noel Kuntze noel at familie-kuntze.de
Tue Aug 4 02:28:51 CEST 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Mohammed,

VICI does not seem to provide that function - among others -, unlike ipsec.conf.
You will need to patch strongswan to make that option setable through VICI.

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 04.08.2015 um 02:27 schrieb Mohammad Ahmad:
> Hi,
>
> I am not able to figure out how to set installpolicy=false through the
> vici plugin. There is no installpolicy variable in the child_data_t
> struct in vici_config.c although there is a install policy variable in
> the libcharon config.
>
> How can I set installpolicy=false? I want to add policies manually.
>
> Ahmad
>
> On Thu, Jul 23, 2015 at 3:08 PM, Mohammad Ahmad <mohd.ahmad17 at gmail.com> wrote:
>> Thanks for the help! That solved the problem.
>>
>> Now I am moving on to using the vici plugin!
>>
>> On Thu, Jul 23, 2015 at 10:20 AM, Tobias Brunner <tobias at strongswan.org> wrote:
>>>> Since I am using this in a dynamic environment it is necessary for
>>>> me to add policies manually.
>>>
>>> While a traffic selector based on the triggering packet is also sent to
>>> the peer, this might not work that well.  The daemon does not learn the
>>> policies you install manually, so you probably still have to load them
>>> using left|rightsubnet in auto=route configs.  But you can add/remote
>>> configs dynamically and use `ipsec update` to notify the daemon (this
>>> also works with installpolicy=yes, of course - and similarly via VICI).
>>>
>>>> So variables such as 'keylifetime' need to be added for each conn. I
>>>> assumed there may be a way to define some parameters such as 'rekey'
>>>> margin for all connections.
>>>
>>> No, that has to be added for all connections (it's actually the same for
>>> ipsec.conf, there the parser just "adds" the options in %default to all
>>> other conn sections - the daemon always sees the complete config).
>>>
>>> Regards,
>>> Tobias
>>>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJVwAdAAAoJEDg5KY9j7GZYI94P/2XKC4xonbLc/im8DN//wxP0
I6fm7oZ9kSL7lZcHkQGeUQyb/ZYe4nYIFlNUjfI/2hkkyGaf2wyq1QBCa1FHX3FM
Vtby94NCQGg0omQ4hilqzXeu+Gt3Tqli99O0+9+eaQpDyY+0dpUoBorUd18X+kB7
VL5QCYzYCA6JWHbAlvL2IlsJJ054wqePTDAczHUHeSO5u/QnkBXwE81Kq5Hqo3tu
0ubODMk8c4aJ0OKNd63Iv4dqV/OH69kDJ5x6ogAImBuCprfPnhRaG0j58jbwujkn
cdIoR0r9Q9yX7M11pRPtti5Qm9XpRRa6IZY27FjAuEuyvJZlA4WGwPXRJmuUkeie
dz70HsnQijibi6MZt4AdZUELGcmfKnJKVF1PvjRH9rf0702H1w5T+a9rxZgYlRjD
2gAjU2m3OZQzWGTTfX85e++7QGI6x194fOG7baCXtJ5GPp60BgvZ1OIKnbcMRABH
/Ont3fyp4MtAp0K44gY9vuu/hOBU8pddJknvUOy7lZJdgFJ1BwmVska23eQoRpuZ
wBDlx9nKcScvZoXJJlJUhibvINWTYPZvuZfNG+7poS6z2k8wibtJMBx69bhv6oXU
IzCXOQTXdvWr7RZzjlK9YPiD28Is3duEP6UvmkNSA7qv9opjwuzKTtYe9WchqcXL
DGT6/vyQaAnIR0kQ+FdR
=j+LI
-----END PGP SIGNATURE-----



More information about the Users mailing list