[strongSwan] Traffic selector modification ignored when rekeying SA [follow-up]

Mon Aug 28 17:46:02 CEST 2017

    def unloadConn(self, id):
        return self.session.unload_conn({
                "name" : str(id)
            })

    def initiateConn(self, id):
        uniqueid=None
        for i in self.session.initiate(
            {
                "child" : str(id)
            }
            ):
            uniqueid = i["ikesa-uniqueid"]
        return uniqueid
       
    def terminateConn(self, id):
        for i in self.session.terminate(
            {
                "ike" : (id)
            }
            ):
            pass

On 28.08.2017 17:40, FRECHIN and Co wrote:
>
>  
>
> Hi all,
>
>  
>
> I'm now looking for the right syntax to call "terminate()" & "initiate()" functions through vici with python.  I succeed in making calls to load_conn() but not to these 2 functions.
>
>  
>
> Would you have a code extract to share I could reuse?
>
>  
>
> thanks,
>
>  
>
> Régis
>
>  
>
>  
>
>  
>
>  
>
>  
>
>     > Message du 25/08/17 17:59
>     > De : "Sarefrech" <sarefrech at wanadoo.fr>
>     > A : users at lists.strongswan.org
>     > Copie à :
>     > Objet : [strongSwan] Traffic selector modification ignored when rekeying SA [follow-up]
>     >
>     >
>
>     > Hi all,
>
>     >  
>
>     > I think my previous emails got blocked because I did not use my strongswan registered email address. I'll then try to summarize what I did.
>
>     > As a reminder  :
>
>     > - the main issue is that traffic selector list update for a given running SA is not taken into account at rekeying time. :-(
>
>     > - I use Vici with python
>
>     >  
>
>     > I followed a suggestion that was :
>
>     > - to setup a tunnel with its default SAs (child1) -> works fine with a basic config file.
>
>     > - to create a second child SA (child2) with the updated TS list in the connexion list -> I use the vici python load_conn function : works fine.
>
>     > - to activate this "child2" SA -> I'm supposed to use the activate function  I guess. here I have 2 pbs : 
>
>     >         I am unable to use the python vici function that seems to accept only 1 parameter (the child name). I think I need to fill the connexion name somewhere else.
>
>     >         Using the "swanctl --initiate ..." command (as a wokaround), I got one step further but got the error " unable to install policy... " as the same TS are used for child1 & child2. As a result the command fails and the tunnel is restarted.
>     - to terminate the initial SA -> I did no manage to use the python vici terminate function.
>
>     >  
>
>     > Does somebody out there use python vici interface & could help me?
>
>     >  
>
>     > thanks,
>
>     >  
>
>     > Régis
>
>     >  
>
>     >  
>
>     >  
>
>     >  
>
>     > ------------------------------
>
>     > Hi all,
>
>     >  
>
>     > I'm using vici to define & dynamically change traffic selectors associated with a connexion (using ikev2).
>
>     >  
>
>     > I observe that traffic selector list modifications are not taken into account at rekey time but only at reauthentication time.
>
>     > I used  "Linux strongSwan U5.5.3/K3.16.0-4-amd64" version and recently switched to "Linux strongSwan U5.5.0/K3.16.0-4-amd64".
>
>     > Is there a way to force TS modification at rekeying time ?
>      
>
>     > thanks - Best regards,
>
>     Régis
>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170828/d20cb170/attachment.sig>