[strongSwan] strongswan seems to go mad after some time
martin at strongswan.org
Mon Oct 4 14:37:40 CEST 2010
> Because with NAT the sport can be different anyways (due to the NAT) and
> with non-NAT the port 500 seems to be configurable in strongswan.
The initiators source port might be any, as a NAT device might map port
500 and also port 4500 to different ports.
> Is the port 4500 also configurable?
There are the left/rightikeport options supported via the special
socket-dynamic plugin as initiator. But it is not recommended unless you
know exactly what you are doing. Port floating/non-ESP markers are not
really defined in IKEv2 with custom ports.
> rekey = yes is important, or otherwise my connections will be closed after
> the end of the key lifetime.
Rekeying establishes fresh keys for the IKE_SA. If you set rekey=no,
you'll use the same keys as long as the IKE_SA is alive.
> reauth = yes means just that if a rekey happens, than the authentication
> (e.g. via certificates) is also re-done.
> Mhh ok,.. yeah,.. perhaps with one exception, that one peer looses his
> credentials (the cert) completely, or it expires?!
> btw: is there some bug-tracker for strongswan, where one could hook up
> such issues in order to allow end users (like me) to some how trace these
> things better?
Our Redmine Wiki has an issue tracking system .
More information about the Users