Hi, > What is the need for activate the TASK_IKE_CONFIG before > TASK_CHILD_CREATE.
While these tasks get executed during the same exchange(s) with an IKE_AUTH piggybacked CHILD_SA, the order is still important. If a virtual IP is negotiated, this must be done beforehand. The CHILD_SA IPsec policy usually depends/derives from that virtual IP, as the tunnel usually is negotiated explicitly to the assigned IP. > Logically ip address assignment should succeed TASK_CHILD_CREATE. No, that won't work in strongSwan. CHILD_SA setup depends on the virtual IP to install IPsec policies and associated routing entries. Regards Martin _______________________________________________ Dev mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/dev
