[strongSwan] 10[CFG] trap not found, unable to acquire reqid 10 and vici query

Tue Aug 4 02:33:49 CEST 2015

Hi Noel,

Thank you for the quick response. Do you guys accept Pull Requests? I
would like to add support for setting the installpolicy to VICI.

Ahmad

On Mon, Aug 3, 2015 at 5:28 PM, Noel Kuntze <noel at familie-kuntze.de> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Hello Mohammed,
>
> VICI does not seem to provide that function - among others -, unlike ipsec.conf.
> You will need to patch strongswan to make that option setable through VICI.
>
> Mit freundlichen Grüßen/Kind Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> Am 04.08.2015 um 02:27 schrieb Mohammad Ahmad:
>> Hi,
>>
>> I am not able to figure out how to set installpolicy=false through the
>> vici plugin. There is no installpolicy variable in the child_data_t
>> struct in vici_config.c although there is a install policy variable in
>> the libcharon config.
>>
>> How can I set installpolicy=false? I want to add policies manually.
>>
>> Ahmad
>>
>> On Thu, Jul 23, 2015 at 3:08 PM, Mohammad Ahmad <mohd.ahmad17 at gmail.com> wrote:
>>> Thanks for the help! That solved the problem.
>>>
>>> Now I am moving on to using the vici plugin!
>>>
>>> On Thu, Jul 23, 2015 at 10:20 AM, Tobias Brunner <tobias at strongswan.org> wrote:
>>>>> Since I am using this in a dynamic environment it is necessary for
>>>>> me to add policies manually.
>>>>
>>>> While a traffic selector based on the triggering packet is also sent to
>>>> the peer, this might not work that well.  The daemon does not learn the
>>>> policies you install manually, so you probably still have to load them
>>>> using left|rightsubnet in auto=route configs.  But you can add/remote
>>>> configs dynamically and use `ipsec update` to notify the daemon (this
>>>> also works with installpolicy=yes, of course - and similarly via VICI).
>>>>
>>>>> So variables such as 'keylifetime' need to be added for each conn. I
>>>>> assumed there may be a way to define some parameters such as 'rekey'
>>>>> margin for all connections.
>>>>
>>>> No, that has to be added for all connections (it's actually the same for
>>>> ipsec.conf, there the parser just "adds" the options in %default to all
>>>> other conn sections - the daemon always sees the complete config).
>>>>
>>>> Regards,
>>>> Tobias
>>>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iQIcBAEBCAAGBQJVwAdAAAoJEDg5KY9j7GZYI94P/2XKC4xonbLc/im8DN//wxP0
> I6fm7oZ9kSL7lZcHkQGeUQyb/ZYe4nYIFlNUjfI/2hkkyGaf2wyq1QBCa1FHX3FM
> Vtby94NCQGg0omQ4hilqzXeu+Gt3Tqli99O0+9+eaQpDyY+0dpUoBorUd18X+kB7
> VL5QCYzYCA6JWHbAlvL2IlsJJ054wqePTDAczHUHeSO5u/QnkBXwE81Kq5Hqo3tu
> 0ubODMk8c4aJ0OKNd63Iv4dqV/OH69kDJ5x6ogAImBuCprfPnhRaG0j58jbwujkn
> cdIoR0r9Q9yX7M11pRPtti5Qm9XpRRa6IZY27FjAuEuyvJZlA4WGwPXRJmuUkeie
> dz70HsnQijibi6MZt4AdZUELGcmfKnJKVF1PvjRH9rf0702H1w5T+a9rxZgYlRjD
> 2gAjU2m3OZQzWGTTfX85e++7QGI6x194fOG7baCXtJ5GPp60BgvZ1OIKnbcMRABH
> /Ont3fyp4MtAp0K44gY9vuu/hOBU8pddJknvUOy7lZJdgFJ1BwmVska23eQoRpuZ
> wBDlx9nKcScvZoXJJlJUhibvINWTYPZvuZfNG+7poS6z2k8wibtJMBx69bhv6oXU
> IzCXOQTXdvWr7RZzjlK9YPiD28Is3duEP6UvmkNSA7qv9opjwuzKTtYe9WchqcXL
> DGT6/vyQaAnIR0kQ+FdR
> =j+LI
> -----END PGP SIGNATURE-----
>