> My understanding was ip address assignment to interface can happen > later after child SA is negotiated with tunnel end point using the > virtual ip stored in the Strongswan internal data structures.
No, this won't work. Negotiating the CHILD_SA installs IPsec SAs and policies to the kernel, along with a source route to actually make use of these policies. If the virtual IP is not installed to the kernel, installing the source route is not possible. Not sure what you want to achieve by deferring virtual IP installation, but that won't work with the way strongSwan handles CHILD_SA setup. Regards Martin _______________________________________________ Dev mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/dev
