[strongSwan] Traffic selector modification ignored when rekeying SA [follow-up]

FRECHIN and Co regis.frechin22 at orange.fr
Mon Aug 28 17:40:17 CEST 2017 

 

Hi all, 

 

I'm now looking for the right syntax to call "terminate()" & "initiate()" functions through vici with python.  I succeed in making calls to load_conn() but not to these 2 functions.

 

Would you have a code extract to share I could reuse?

 

thanks,

 

Régis

 

 

 

 

 

> Message du 25/08/17 17:59
> De : "Sarefrech" 
> A : users at lists.strongswan.org
> Copie à : 
> Objet : [strongSwan] Traffic selector modification ignored when rekeying SA [follow-up]
> 
>
> Hi all,

>  

> I think my previous emails got blocked because I did not use my strongswan registered email address. I'll then try to summarize what I did.

> As a reminder  :

> - the main issue is that traffic selector list update for a given running SA is not taken into account at rekeying time. :-(

> - I use Vici with python

>  

> I followed a suggestion that was :

> - to setup a tunnel with its default SAs (child1) -> works fine with a basic config file.

> - to create a second child SA (child2) with the updated TS list in the connexion list -> I use the vici python load_conn function : works fine.

> - to activate this "child2" SA -> I'm supposed to use the activate function  I guess. here I have 2 pbs : 

>         I am unable to use the python vici function that seems to accept only 1 parameter (the child name). I think I need to fill the connexion name somewhere else.

>         Using the "swanctl --initiate ..." command (as a wokaround), I got one step further but got the error " unable to install policy... " as the same TS are used for child1 & child2. As a result the command fails and the tunnel is restarted.
- to terminate the initial SA -> I did no manage to use the python vici terminate function.

>  

> Does somebody out there use python vici interface & could help me?

>  

> thanks,

>  

> Régis

>  

>  

>  

>  

> ------------------------------

> Hi all,

>  

> I'm using vici to define & dynamically change traffic selectors associated with a connexion (using ikev2).

>  

> I observe that traffic selector list modifications are not taken into account at rekey time but only at reauthentication time.

> I used  "Linux strongSwan U5.5.3/K3.16.0-4-amd64" version and recently switched to "Linux strongSwan U5.5.0/K3.16.0-4-amd64".

> Is there a way to force TS modification at rekeying time ? 
 

> thanks - Best regards,

Régis

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170828/60656fc5/attachment.html>

More information about the Users mailing list