[strongSwan-dev] [PATCH] Add support for left-/rightallowany to charon
Tobias Brunner
tobias at strongswan.org
Wed Nov 30 13:46:55 CET 2011
Hi Mirko,
> Does that make sense?
It does, thanks for the nice example (I read the man page entry about
left|rightallowany but didn't really get it).
> Can it be done without code changes?
One option is probably to have two configs, one with right=%any and one
with right=host.dyndns.org (easy to do with also= or %default). This
could result in duplicate SAs, if both start at the same time, but
charon recognizes this and will close one of them if uniqueids is set to
yes (the default).
It should also work with a single config, if you make one of your hosts
initiator and one responder. The initiator is configured like you
already did:
> auto=start
> dpdaction=restart
> keyingtries=%forever
And to recover from a clean shutdown by the responder you also have to
specify closeaction=restart, and to make that work properly add
reauth=no on the responder side (doesn't hurt if you do that on both
sides). The uniqueids option could also be problematic with
closeaction=restart so you might have to set it to no on the responder.
If you think it takes too long for DPD to kick in if the responder
crashes or the delete gets lost, simply change the retransmission
behavior [1].
Regards,
Tobias
[1] http://wiki.strongswan.org/projects/1/wiki/Retransmission
More information about the Dev
mailing list