Hi Noel, Thank you for the quick response. Do you guys accept Pull Requests? I would like to add support for setting the installpolicy to VICI.
Ahmad On Mon, Aug 3, 2015 at 5:28 PM, Noel Kuntze <[email protected]> wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Hello Mohammed, > > VICI does not seem to provide that function - among others -, unlike > ipsec.conf. > You will need to patch strongswan to make that option setable through VICI. > > Mit freundlichen Grüßen/Kind Regards, > Noel Kuntze > > GPG Key ID: 0x63EC6658 > Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 > > Am 04.08.2015 um 02:27 schrieb Mohammad Ahmad: >> Hi, >> >> I am not able to figure out how to set installpolicy=false through the >> vici plugin. There is no installpolicy variable in the child_data_t >> struct in vici_config.c although there is a install policy variable in >> the libcharon config. >> >> How can I set installpolicy=false? I want to add policies manually. >> >> Ahmad >> >> On Thu, Jul 23, 2015 at 3:08 PM, Mohammad Ahmad <[email protected]> >> wrote: >>> Thanks for the help! That solved the problem. >>> >>> Now I am moving on to using the vici plugin! >>> >>> On Thu, Jul 23, 2015 at 10:20 AM, Tobias Brunner <[email protected]> >>> wrote: >>>>> Since I am using this in a dynamic environment it is necessary for >>>>> me to add policies manually. >>>> >>>> While a traffic selector based on the triggering packet is also sent to >>>> the peer, this might not work that well. The daemon does not learn the >>>> policies you install manually, so you probably still have to load them >>>> using left|rightsubnet in auto=route configs. But you can add/remote >>>> configs dynamically and use `ipsec update` to notify the daemon (this >>>> also works with installpolicy=yes, of course - and similarly via VICI). >>>> >>>>> So variables such as 'keylifetime' need to be added for each conn. I >>>>> assumed there may be a way to define some parameters such as 'rekey' >>>>> margin for all connections. >>>> >>>> No, that has to be added for all connections (it's actually the same for >>>> ipsec.conf, there the parser just "adds" the options in %default to all >>>> other conn sections - the daemon always sees the complete config). >>>> >>>> Regards, >>>> Tobias >>>> >> _______________________________________________ >> Users mailing list >> [email protected] >> https://lists.strongswan.org/mailman/listinfo/users > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2 > > iQIcBAEBCAAGBQJVwAdAAAoJEDg5KY9j7GZYI94P/2XKC4xonbLc/im8DN//wxP0 > I6fm7oZ9kSL7lZcHkQGeUQyb/ZYe4nYIFlNUjfI/2hkkyGaf2wyq1QBCa1FHX3FM > Vtby94NCQGg0omQ4hilqzXeu+Gt3Tqli99O0+9+eaQpDyY+0dpUoBorUd18X+kB7 > VL5QCYzYCA6JWHbAlvL2IlsJJ054wqePTDAczHUHeSO5u/QnkBXwE81Kq5Hqo3tu > 0ubODMk8c4aJ0OKNd63Iv4dqV/OH69kDJ5x6ogAImBuCprfPnhRaG0j58jbwujkn > cdIoR0r9Q9yX7M11pRPtti5Qm9XpRRa6IZY27FjAuEuyvJZlA4WGwPXRJmuUkeie > dz70HsnQijibi6MZt4AdZUELGcmfKnJKVF1PvjRH9rf0702H1w5T+a9rxZgYlRjD > 2gAjU2m3OZQzWGTTfX85e++7QGI6x194fOG7baCXtJ5GPp60BgvZ1OIKnbcMRABH > /Ont3fyp4MtAp0K44gY9vuu/hOBU8pddJknvUOy7lZJdgFJ1BwmVska23eQoRpuZ > wBDlx9nKcScvZoXJJlJUhibvINWTYPZvuZfNG+7poS6z2k8wibtJMBx69bhv6oXU > IzCXOQTXdvWr7RZzjlK9YPiD28Is3duEP6UvmkNSA7qv9opjwuzKTtYe9WchqcXL > DGT6/vyQaAnIR0kQ+FdR > =j+LI > -----END PGP SIGNATURE----- > _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
