[strongSwan-dev] Strongswan: 4.5.3: Notify Cookies for Half Open Tunnels
Martin Willi
martin at strongswan.org
Wed Sep 25 09:49:41 CEST 2013
Hi,
> I am getting the following warning/error message while trying to
> simulate the Half open tunnel scenrios.
> 15[NET] ignoring IKE_SA setup from 40.40.40.41, peer too aggressive
> Anyone help the reason for this message?
The peer at 40.40.40.41 has too many IKE_SAs in half open state, i.e. is
simultaneously establishing IKE_SAs before it completed them. This limit
defaults to 5 SAs, and can be changed with the charon.block_threshold
strongswan.conf option.
If you are trying to trigger COOKIE messages, you'll have to send the
IKE_SA_INIT messages from many different source addresses: COOKIE
messages just verify the senders IP address. Once this has been done, a
second check verifies that a single (verified) IP address does not
initiate more than a certain number of connections at the same time.
Regards
Martin
More information about the Dev
mailing list