On Thu, 29 Oct 2015, Amir Naftali wrote:
That might do for the simple case but my Libreswan based VPN server is aggregating many such connections including connection where SAs are negotiated per subnet pairs
Well, "routing based VPNs" are not the best choice. It is much more secure and easier to configure "policy based VPNs". That is where you specifically define the traffic allowed to pass using leftsubnet= and rightsubnet=.
Please note that the wildcard negotiation is just a technical requirement - I'm not really looking to install a wildcard xfrm policies. The installed policy will have a src/dst subnets blocks allocated to them. Basically I'm still looking for a way to take control over xfrm policies instrumentation using the leftupdown option in the connection configuration and the issue I described (partial xfrm policy instrumentation during re-key) is the only thing that prevents me from being able to do so. Is there a way to tell a connection not to install xfrm policies at all or is there a way to prevent form libreswan to install the partial xfrm "out" policy during re-key?
You should never manually modify the xfrm tables outside the running IKE daemon. The IKE daemon is not aware of your manual tweaks and it could lead to mismatched policies, unexpected state and packet leaks. Paul _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
