Hi Tobias, It's good to know that there is the installpolicy option. Even though I cannot use it, I can probably check out how it is implemented. There are other questions that remained and related to kernel side. Here they are:
1) Is my assumption correct? Do I need the policies to control routing? I am talking about where there are multiple subnets values in the left|rightsubnet parameters so that packets can be routed thru the tunnel. 2) About kernel interface plugin, I could write my own, but I still need policies to be in the standard place so standard routing would work, if assumptions in 1) are correct. So I may not need to write my own plugin, but rather just change the default kernel behavior by installing the policies and not SAs. The question then is what will happen to the packets (especially from sending size)? Will kernel try to encrypt them but not be able to find SAs? I am guessing I need to change kernel to ignore SAs and send the packet on anyway? Thanks, Terry On Wed, Sep 12, 2012 at 1:47 AM, Tobias Brunner <[email protected]> wrote: > Hi Terry, > >> What's the best way >> to turn off linux IPsec while still running strongswan? Is there a >> switch somewhere,or maybe >> just not adding SAs to the kernel? We still need the policies because >> routing decisions still depend on them. > > There is an ipsec.conf option (installpolicy) to disable the > installation of IPsec policies (used with MIPv6), but there is currently > no option that prevents the installation of IPsec SAs. > > Of course, you could write your own kernel interface plugin (an > implementation of the kernel_ipsec_t interface) which would handle the > installation of SAs and policies just the way you require it. Have a > look at the existing kernel plugins in libhydra. > > Regards, > Tobias > > _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
