On Thu, Jul 23, 2015, 9:06 AM Tobias Brunner <[email protected]> wrote:
> I insert policies using ip xfrm and want to use charon to establish SAs. For this to work you have to use constant reqids for your connections (via reqid setting - you'll have to use that reqid in your manually installed policies) and use auto=route so the config is loaded into the trap manager. Just using auto=route with installpolicy=yes (and automatic reqids) is way easier, though, if you don't have any special requirements that makes manual installation of policies necessary. If I use the same reqid in the policy inserted using ip xfrm this should work? Since I am using this in a dynamic environment it is necessary for me to add policies manually. So I will set installpolicy=no. > 1. Where can I then define the "default" section of ipsec.conf. Can > this be done using vici? No, complete connection definitions have to be loaded via VICI. So variables such as 'keylifetime' need to be added for each conn. I assumed there may be a way to define some parameters such as 'rekey' margin for all connections. > 2. How can I enable vici if I used apt-get on ubuntu to install > strongswan-ikev1? Ubuntu deploys some plugins in separate packages, however it doesn't look like vici (or swanctl for that matter) is packaged. So you have to build strongSwan from sources (or build your own package). I will try this out. Thanks! Regards, Tobias Regards, Ahmad
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
