[strongSwan] Traffic selector modification ignored when rekeying SA [follow-up]
FRECHIN and Co
regis.frechin22 at orange.fr
Mon Aug 28 17:40:17 CEST 2017
I'm now looking for the right syntax to call "terminate()" & "initiate()" functions through vici with python. I succeed in making calls to load_conn() but not to these 2 functions.
Would you have a code extract to share I could reuse?
> Message du 25/08/17 17:59
> De : "Sarefrech"
> A : users at lists.strongswan.org
> Copie à :
> Objet : [strongSwan] Traffic selector modification ignored when rekeying SA [follow-up]
> Hi all,
> I think my previous emails got blocked because I did not use my strongswan registered email address. I'll then try to summarize what I did.
> As a reminder :
> - the main issue is that traffic selector list update for a given running SA is not taken into account at rekeying time. :-(
> - I use Vici with python
> I followed a suggestion that was :
> - to setup a tunnel with its default SAs (child1) -> works fine with a basic config file.
> - to create a second child SA (child2) with the updated TS list in the connexion list -> I use the vici python load_conn function : works fine.
> - to activate this "child2" SA -> I'm supposed to use the activate function I guess. here I have 2 pbs :
> I am unable to use the python vici function that seems to accept only 1 parameter (the child name). I think I need to fill the connexion name somewhere else.
> Using the "swanctl --initiate ..." command (as a wokaround), I got one step further but got the error " unable to install policy... " as the same TS are used for child1 & child2. As a result the command fails and the tunnel is restarted.
- to terminate the initial SA -> I did no manage to use the python vici terminate function.
> Does somebody out there use python vici interface & could help me?
> Hi all,
> I'm using vici to define & dynamically change traffic selectors associated with a connexion (using ikev2).
> I observe that traffic selector list modifications are not taken into account at rekey time but only at reauthentication time.
> I used "Linux strongSwan U5.5.3/K3.16.0-4-amd64" version and recently switched to "Linux strongSwan U5.5.0/K3.16.0-4-amd64".
> Is there a way to force TS modification at rekeying time ?
> thanks - Best regards,
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Users