Hi, That's not supported. You can maybe use connections.<conn>.children.<child>.policies to disable the installation of the policies and manage them outside of charon. IIRC there also was some patch set from somebody that implemented exactly what you ask. I can't find it right now, though.
Kind regards
Noel
On 23.11.2017 20:23, Rich Lafferty wrote:
> Hello,
>
> I currently have a racoon-based full IPsec mesh (i.e., all of our
> host-to-host traffic is encrypted using trap-based transport policies).
> Racoon is long in the tooth, and so I’m in the process of planning a
> migration to StrongSwan.
>
> One thing I foresee in the near future is a need to stop using IPsec between
> some pairs of hosts in the mesh (specifically, within AWS VPCs).
>
> In our current configuration, I manage the SPD database outside of Racoon,
> with policy entries like so:
>
> spdadd 192.168.100.101 192.168.100.102 any -P out ipsec
> esp/transport//require;
> spdadd 192.168.100.102 192.168.100.101 any -P in ipsec esp/transport//require;
>
> (Which get installed with refid 0, which from Racoon’s point of view is just
> fine, as it doesn’t manage policies by refid).
>
> If I wanted to migrate those hosts to no longer require IPsec, I would first
> update the policies one host at a time to be “esp/transport//use”, and
> subsequently I could remove the policies one host at a time.
>
> From what I’ve been able to figure, StrongSwan-installed trap policies are
> always at the “require” level, which would mean that migrating a pair of
> hosts to no longer use an IPsec transport would require updating the
> configuration of both hosts at the same time.
>
> So my question is: Is there a way to tell StrongSwan to generate its policies
> at “use” level rather than “require” level, so I can do this sort of staged
> deployment?
>
> I am using StrongSwan 5.5.1 as distributed by Ubuntu, with a
> swanctl.conf-based configuration. A sample connection entry, in case it’s of
> use:
>
> connections {
> racoon-west {
> version = 1
> local { auth = psk }
> remote { auth = psk }
> proposals = aes128-sha256-modp3072
> encap = yes
>
> reauth_time=24h
> over_time=0
> rand_time=0
>
> local_addrs = 192.168.100.101
> remote_addrs = 192.168.100.102
>
> children {
> racoon-west {
> mode = transport
> start_action = trap
> esp_proposals = aes128-sha256-modp3072
> rekey_time = 8h
> life_time = 7h
> rand_time = 0
> }
> }
> }
> }
>
> Thanks in advance for your help.
>
> -Rich
signature.asc
Description: OpenPGP digital signature
