Hi, Even with latest stronsgwan version (for IKEv2), the internal calculation for kernel policy priority (based on source/destination mask/port, protocol etc), is not helping for fine tuning the priorities.
Also, the priority getting modified once CHILD_SA is established makes it difficult for the user to manipulate connections which have overlapping policies. [ Discussed here: https://lists.strongswan.org/pipermail/users/2014-July/006346.html ] Was the idea of specifying kernel policy priority per connection, in the ipsec.conf file ever considered? (Cisco routers allow this.) Could you please provide your opinion on whether you see any blocking problems if such an attempt is made. - Divya _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
