[strongSwan] Traffic selector modification ignored when rekeying SA
FRECHIN and Co
regis.frechin22 at orange.fr
Fri Aug 25 12:12:27 CEST 2017
Hi all,
following tobias' suggestion, I've added a few python lines to modify (thru vici) connexion configurations.
- add a new child with updated TS list,
- to remove the initial child,
- and to load the new configuration.
This seems to be ok, the modifications are taken into account.
Unfortunatly, the ipsec tunnel does not change & keep on using the initial child parameters.
It's like I need a additional command so that the strongswan gw applies the new child definition & modify the corresponding tunnel configuration for existing ipsec tunnels.
I would be happy to test any hint you could have on top on your mind :-).
thanks,
Régis
> Message du 22/08/17 10:31
> De : "FRECHIN and Co"
> A : "Tobias Brunner" , "Mike Taylor" , "'Sarefrech'" , users at lists.strongswan.org
> Copie à :
> Objet : Re: [strongSwan] Traffic selector modification ignored when rekeying SA
>
>
> Hi Tobias,
>
> one last question :-) : in our opinion, is this something I can do using Vici interface?
>
> thanks,
>
> Régis
>
>
>
>
> Message du 21/08/17 16:04
> De : "Tobias Brunner"
> A : "FRECHIN and Co" , "Mike Taylor" , "'Sarefrech'" , users at lists.strongswan.org
> Copie à :
> Objet : Re: [strongSwan] Traffic selector modification ignored when rekeying SA
>
> Hi,
>
> > So as of today, the only way to update traffic selector list for a given
> > connexion with strongswan is to wait for the next reauthentication,
> > meaning potential packet drops during the process.
>
> If the remote end's config allows it, you can create a new CHILD_SA with
> new TS and remove the old one.
>
> Regard,
> Tobias
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170825/697958eb/attachment.html>
More information about the Users
mailing list