Hi, > Similarly I wish to apply to SCTP packets a cipher suite > that supersedes the cipher suite to be applied to all other > packets from the same IP@ (i.e. 10.5.0.1). Can this be done > by strongSwan with the example below?
Yes. But SCTP traffic to 10.6.0.2 will use the to-HOST connection in your example, the IP address match has more weight than the protocol match. > If yes, is this a standard (RFC) feature or strongSwan specific? Creating a SCTP only tunnel is part of the standard. That it has a higher priority than a tunnel for all protocols is stringSwan specific. > Finally, what assumption can be done for priorities of policies > installed by to-HOST relative to SCTP from the same example? The priority calculation in the XFRM kernel interface works as follows: > policy_info->priority -= policy->sel.prefixlen_s * 10; > policy_info->priority -= policy->sel.proto ? 2 : 0; > policy_info->priority -= policy->sel.sport_mask ? 1 : 0; The prefix length of your subnet has most weight, protocol specific SAs have more weight than port specific SAs. Regards Martin _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
