Hi, > 1. Is it the only mechanism through which the CHILD_SAs can be created > ( i.e through the acquire function, trigger coming from the kernel > based on policies installed ) > > 2. The function also mentioned that the IKE_SA creation can also be > triggered through the acquire function sometimes. What are the > scenarios under which the IKE_SA creation can be triggered from the > kernel?
There are two ways to create a CHILD_SA (and an IKE_SA if none exists with that peer): - Using explicit initiation: Issuing "ipsec up" or adding the auto=start keyword to a ipsec.conf connection initiates a connection using the given configuration. The tunnel gets established and SPD and SAD entries are added to the kernel. - Installing a triggering policy: Issuing "ipsec route" or adding the auto=route keyword to ipsec.conf connection installs the policy (SPD) in the kernel. No tunnel is negotiated. As soon as the kernel processes traffic matching the policy, it sends an acquire() to the daemon. The daemon negotiates IKE- and CHILD_SAs and adds SAD entries to the kernel. Regards Martin _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users