Re: [strongSwan] kernel SPD policy not installed until successful IKE negotiation completes
> It would be good if "auto" could have an option to both install the > policy and initiate negotiation (both "route" and "start"). I guess > this is not possible right now, isn't it? No, there is no such option right now. It's usually not needed as auto=route automatically initiates the negotiation if any traffic matches the installed policy. In all other cases ipsec up does the trick (or using whack directly as you did). Regards, Tobias ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] kernel SPD policy not installed until successful IKE negotiation completes
Thanks, Tobias! I ended up specifying "auto=route" and then calling "ipsec whack --initiate --name --asynchronous" to immediately kick the initial negotiation. It would be good if "auto" could have an option to both install the policy and initiate negotiation (both "route" and "start"). I guess this is not possible right now, isn't it? Thanks, Alex. On Wed, Mar 7, 2012 at 11:53 AM, Tobias Brunner wrote: > Hi Alex, > >> Is there a way to instruct strongswan to install the security policy >> right upon starting? > > Try auto=route. This installs the policies right away and if traffic > matches them the daemon will try to setup the appropriate IKE/IPsec SAs. > > The installpolicy option is intended for MIPv6 where the policies are > not managed by the IKE daemon. > > Regards, > Tobias ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] kernel SPD policy not installed until successful IKE negotiation completes
Hi Alex, > Is there a way to instruct strongswan to install the security policy > right upon starting? Try auto=route. This installs the policies right away and if traffic matches them the daemon will try to setup the appropriate IKE/IPsec SAs. The installpolicy option is intended for MIPv6 where the policies are not managed by the IKE daemon. Regards, Tobias ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] kernel SPD policy not installed until successful IKE negotiation completes
Greetings all, I am using strongswan 4.5.0 and IKEv1. In ipsec.conf I have "auto=start". I notice that if the remote node does not have IKE daemon running (yet), strongswan does not install the security policy appropriate for the connection. As a result, the remote node can connect insecurely, if it does not start its IKE daemon at all. After the IKE negotiation completes and policy is installed, then if remote node terminates its IKE daemon, it still cannot connect insecurely, because the policy in the local node is already installed (until the local node reboots). I am checking the existence of the policy using 'setkey -DP' command. Is there a way to instruct strongswan to install the security policy right upon starting? (I tried installpolicy=yes, but this is relevant only for IKEv2, and also looking at the code I see that indeed it is used only in charon, but still not sure that it's used for the purpose I need). Thanks, Alex. ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
