Hi Emeric, > My proposal is to add an "ignore_acquire" parameter, set by per connection. > If set, the acquire messages are just discarded.
My recommendation would be to install a drop policy for the same traffic selector and to use auto=add for the actual connection. In recent releases drop policies are always installed with a lower priority than IPsec policies or passthrough policies, so traffic will be blocked until the IPsec connection is established (and again when it is torn down), but not while it is established. This should work fine with the kernel-pfkey plugin, however, the reqid check in the kernel-netlink plugin currently prevents this from working if the traffic selectors are exactly the same for the drop and IPsec policy. Since shunt policies have no reqid associated with them we might make an exception for these, though. I've updated the policy-del-ext branch to support this. Regards, Tobias _______________________________________________ Dev mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/dev
