Ok my bad! Indeed it works fine like that :) The only drawback is that we have to manually add a "drop" connection for each "responder only" connection. This does not make debugging easier for setups with a large amount of connections.
I guess you are not interested by the "ignore_acquire" approach? Best Regards, Emeric ----- Mail original ----- De: "Tobias Brunner" <[email protected]> À: "Emeric POUPON" <[email protected]> Cc: [email protected] Envoyé: Lundi 5 Octobre 2015 16:22:12 Objet: Re: [strongSwan-dev] patch proposal: ignore acquire Hi Emeric, > conn "test PASS" > leftsubnet=192.168.120.0/24 > rightsubnet=192.168.110.0/24 > auto=route > type=passthrough > authby=never This should be drop, not passthrough. > I see at least two problems: > - Why do the additional policies are not installed in the kernel? Only the > refcount are updated? There should not be any additional policies, but the existing policies should get updated with the new information (like reqids etc.). > - I'm not sure FreeBSD can handle SP priority? We are using FreeBSD 9.3. The policies are used internally in the plugin to decide which SA/information should be associated with the policies. Since passthrough policies have a higher priority than IPsec policies the installed policies are not updated, try with type=drop. Regards, Tobias _______________________________________________ Dev mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/dev
