[strongSwan] 10[CFG] trap not found, unable to acquire reqid 10 and vici query

[Mohammad Ahmad]

 On Thu, Jul 23, 2015, 9:06 AM Tobias Brunner <tobias at strongswan.org> wrote:

> I insert policies using ip xfrm and want to use charon to establish SAs.

For this to work you have to use constant reqids for your connections
(via reqid setting - you'll have to use that reqid in your manually
installed policies) and use auto=route so the config is loaded into the
trap manager.  Just using auto=route with installpolicy=yes (and
automatic reqids) is way easier, though, if you don't have any special
requirements that makes manual installation of policies necessary.


If I use the same reqid in the policy inserted using ip xfrm this should
work? Since I am using this in a dynamic environment it is necessary for me
to add policies manually. So I will set installpolicy=no.


> 1. Where can I then define the "default" section of ipsec.conf. Can
> this be done using vici?

No, complete connection definitions have to be loaded via VICI.


So variables such as 'keylifetime' need to be added for each conn. I
assumed there may be a way to define some parameters such as 'rekey' margin
for all connections.


> 2. How can I enable vici if I used apt-get on ubuntu to install
> strongswan-ikev1?

Ubuntu deploys some plugins in separate packages, however it doesn't
look like vici (or swanctl for that matter) is packaged.  So you have to
build strongSwan from sources (or build your own package).

 I will try this out. Thanks!

Regards,
Tobias


Regards,
Ahmad
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150723/68b20fe9/attachment.html>