<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Hi again,</p>
<p>and charon.conf contains the following:</p>
<pre>root@s4:~# cat /etc/strongswan.d/charon.conf |egrep -v "#|^$"
charon {
close_ike_on_child_failure = yes
dlopen_use_rtld_now = yes
half_open_timeout = 10
inactivity_close_ike = yes
install_routes = no
install_virtual_ip = no
load_modular = yes
make_before_break = yes
retransmit_base = 1.8
retransmit_limit = 45
retransmit_timeout = 3
retransmit_tries = 3
retry_initiate_interval = 10
}
</pre>
<p>Despite retry_initiate_interval, caller never try to repeat
connection after NO_PROP failure.</p>
<p>Any ideas what I'm missing?</p>
<p>Thank you.<br>
</p>
<div class="moz-cite-prefix">On 15.04.2021 21:57, Volodymyr Litovka
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:3e2df00a-1a76-888e-345d-4214f44af4bc@funlab.cc">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<p>Hi colleagues,</p>
<p>is there a way to retry connect on receiving NO_PROPOSAL_CHOSEN
from the peer? At the moment, I have the following configuration
on the calling side -</p>
<pre>conn-defaults {
version = 2
proposals = aes256gcm16-prfsha384-ecp384
local_addrs = 10.1.3.14
encap = yes
fragmentation = yes
mobike = no
send_certreq = yes
send_cert = always
dpd_delay = 15s
rekey_time = 3h
unique = keep
keyingtries = 0
local {
auth = pubkey
id = fqdn:s4.v.zt
}
}
child-defaults {
ah_proposals =
esp_proposals = aes192gcm16-aes256gcm16-ecp256
local_ts = 0.0.0.0/0
remote_ts = 0.0.0.0/0
rekey_time = 1h
mode = tunnel
ipcomp = no
tfc_padding = 256
if_id_in = %unique
if_id_out = %unique
}
connections {
mg1-v-zt: conn-defaults {
remote_addrs = 10.1.0.10
remote {
auth = pubkey
id = fqdn:mg1.v.zt
}
vips = 0.0.0.0
children {
mg1-v-zt: child-defaults {
updown = /etc/swanctl/bin/xfrm-updown dynamic 25.0.0.25
start_action = start
dpd_action = restart
close_action = start
}
}
}
}
</pre>
<p>responder side contains no information about the caller,
responding with the following:</p>
<pre>Apr 15 17:35:23 mg1 charon-systemd[14389]: received packet: from 10.1.3.14[500] to 10.1.0.10[500] (296 bytes)
Apr 15 17:35:23 mg1 charon-systemd[14389]: parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Apr 15 17:35:23 mg1 charon-systemd[14389]: no IKE config found for 10.1.0.10...10.1.3.14, sending NO_PROPOSAL_CHOSEN
Apr 15 17:35:23 mg1 charon-systemd[14389]: generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
Apr 15 17:35:23 mg1 charon-systemd[14389]: sending packet: from 10.1.0.10[500] to 10.1.3.14[500] (36 bytes)
</pre>
<p>after which caller stop:</p>
<pre>Apr 15 17:35:23 s4 charon-systemd[3306]: received packet: from 10.1.0.10[500] to 10.1.3.14[500] (36 bytes)
Apr 15 17:35:23 s4 charon-systemd[3306]: parsed IKE_SA_INIT response 0 [ N(NO_PROP) ]
Apr 15 17:35:23 s4 charon-systemd[3306]: received NO_PROPOSAL_CHOSEN notify error
... nothing more until restart strongswan ...
</pre>
<p>So the question - how to make calling side try forever
regardless of what remoteĀ side responds or do not respond at
all?</p>
<p>Thank you.</p>
<p><br>
</p>
<pre class="moz-signature" cols="72">--
Volodymyr Litovka
"Vision without Execution is Hallucination." -- Thomas Edison</pre>
</blockquote>
<pre class="moz-signature" cols="72">--
Volodymyr Litovka
"Vision without Execution is Hallucination." -- Thomas Edison</pre>
</body>
</html>