[strongSwan] 10[CFG] trap not found, unable to acquire reqid 10 and vici query
mohd.ahmad17 at gmail.com
Tue Aug 4 02:33:49 CEST 2015
Thank you for the quick response. Do you guys accept Pull Requests? I
would like to add support for setting the installpolicy to VICI.
On Mon, Aug 3, 2015 at 5:28 PM, Noel Kuntze <noel at familie-kuntze.de> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> Hello Mohammed,
> VICI does not seem to provide that function - among others -, unlike ipsec.conf.
> You will need to patch strongswan to make that option setable through VICI.
> Mit freundlichen Grüßen/Kind Regards,
> Noel Kuntze
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
> Am 04.08.2015 um 02:27 schrieb Mohammad Ahmad:
>> I am not able to figure out how to set installpolicy=false through the
>> vici plugin. There is no installpolicy variable in the child_data_t
>> struct in vici_config.c although there is a install policy variable in
>> the libcharon config.
>> How can I set installpolicy=false? I want to add policies manually.
>> On Thu, Jul 23, 2015 at 3:08 PM, Mohammad Ahmad <mohd.ahmad17 at gmail.com> wrote:
>>> Thanks for the help! That solved the problem.
>>> Now I am moving on to using the vici plugin!
>>> On Thu, Jul 23, 2015 at 10:20 AM, Tobias Brunner <tobias at strongswan.org> wrote:
>>>>> Since I am using this in a dynamic environment it is necessary for
>>>>> me to add policies manually.
>>>> While a traffic selector based on the triggering packet is also sent to
>>>> the peer, this might not work that well. The daemon does not learn the
>>>> policies you install manually, so you probably still have to load them
>>>> using left|rightsubnet in auto=route configs. But you can add/remote
>>>> configs dynamically and use `ipsec update` to notify the daemon (this
>>>> also works with installpolicy=yes, of course - and similarly via VICI).
>>>>> So variables such as 'keylifetime' need to be added for each conn. I
>>>>> assumed there may be a way to define some parameters such as 'rekey'
>>>>> margin for all connections.
>>>> No, that has to be added for all connections (it's actually the same for
>>>> ipsec.conf, there the parser just "adds" the options in %default to all
>>>> other conn sections - the daemon always sees the complete config).
>> Users mailing list
>> Users at lists.strongswan.org
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
> -----END PGP SIGNATURE-----
More information about the Users