[strongSwan] Question about charon.interfaces_ignore/charon.interfaces_use

Tobias Brunner tobias at strongswan.org
Wed Sep 28 17:37:49 CEST 2016

Hi Michael,

> I'm trying to configure StrongSwan on a Linux platform that has three
> interfaces (for simplicity, I'll call them a, b, and c). I only want to
> do IPsec on interface a and I want interfaces b and c to be unaffected.
> In the strongswan.conf file I added the line interfaces_ignore = b,c to
> the charon subsection. However, I am seeing that traffic going to
> interfaces b and c are still attempting to negotiate IPsec. Conversely,
> I tried interfaces_use = a and still saw the same result.

Are IPs on interfaces b and c listed in `ipsec statusall`?  If you
increase the log level for the knl subsystem, do you see interfaces b
and c and their IPs listed when the daemon starts?  Also, if you
increase the log level for the net subsystem to 3 there should be a
message logged if a packet is dropped because it was addressed to an IP
on an ignored interface.


More information about the Users mailing list