[strongSwan] Reinventing the wheel (not): updown and multiple children

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Tue Feb 1 22:02:40 CET 2022

Hello Carlos,

Simply don't try to remove them but bind the first one that is unused.
That way you don't have to worry about it. AFAIR the execution of the updown script is forcibly serialized thus no contention is possible.
If you are still concerned, you can use a lock file with bash atomatic locking (google bash lockfile, there's some instructions on how to do it.
Or just write it in Python. The script doesn't need to be a bash script. Or any combination of technologies you want).

Ususally you only need interfaces for other sites and for those you only have one peer, so that's not a problem there.
You should precreate the interfaces for tunnels to other sites. Then the name is predictable and you can do dynamic routing over them.

Kind regards

Am 01.02.22 um 15:42 schrieb Carlos G Mendioroz:
> I'm trying to come up with an updown script for xfrm interface handling.
> So far I've managed to get routed working, now I want to have policy based VPNs covered too.
> But then I assume I have to create the XFRM only if it's not there already, and then manage adding routes to a table much like starter does.
> Is there an easy way to know when to remove the interface ?
> (so last updown call actually deletes the interface when going down)
> Counting would be the sure way, but may be there's a hook already built in ?
> TIA,
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20220201/6de8c58c/attachment.sig>

More information about the Users mailing list