Hi Emeric, > I guess you are not interested by the "ignore_acquire" approach?
Not really. Drop policies are exactly for this purpose, while trap policies are to trigger IKE/IPsec SAs, not to drop traffic. Ignoring acquires makes not much sense, in particular because the kernel's behavior is quite different when traffic matches a trap policy. The kernel might create a temporary SA and cache packets until the SA is established, so that could require lots of resources if the other peer does not establish the connection for a while. And depending on the OS settings and the traffic the kernel might send lots of acquires to the daemon (for instance, on FreeBSD the default is to trigger an acquire every 10th packet, see net.key.blockacq_count). > The only drawback is that we have to manually add a "drop" connection for > each "responder only" connection. Using the `also` keyword you could simplify this and avoid having to duplicate the traffic selector definition (e.g. define left|rightsubnet in the "drop" connection and include it in the "responder" connection and override/add settings appropriately). Regards, Tobias _______________________________________________ Dev mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/dev
