[strongSwan-dev] Strongswan: 4.5.3: Notify Cookies for Half Open Tunnels

Martin Willi martin at strongswan.org
Wed Sep 25 09:49:41 CEST 2013


> I am getting the following warning/error message while trying to
> simulate the Half open tunnel scenrios.

> 15[NET] ignoring IKE_SA setup from, peer too aggressive

> Anyone help the reason for this message?

The peer at has too many IKE_SAs in half open state, i.e. is
simultaneously establishing IKE_SAs before it completed them. This limit
defaults to 5 SAs, and can be changed with the charon.block_threshold
strongswan.conf option.

If you are trying to trigger COOKIE messages, you'll have to send the
IKE_SA_INIT messages from many different source addresses: COOKIE
messages just verify the senders IP address. Once this has been done, a
second check verifies that a single (verified) IP address does not
initiate more than a certain number of connections at the same time.


More information about the Dev mailing list