[strongSwan] Strongswan 4.5.1 with sqlite database: update database and DPD
Andreas Steffen
andreas.steffen at strongswan.org
Fri Mar 4 10:25:59 CET 2011
Hello Fabrice,
On 04.03.2011 08:43, CETIAD - Fabrice Barconnière wrote:
>>> In the past usually two IKE_SAs and corresponding CHILD_SAs were
>>> established and maintained over all subsequent rekeyings. This is
>>> not harmful per se but creates twice the number of tunnels. I have
>>> to check if the the INITIAL_CONTACT notification introduced with
>>> strongSwan 4.5.1 has changed this behaviour.
>>>
>> This is indeed the case. With 4.5.1 you get:
>>
>> Mar 3 22:13:18 moon charon:
>> 03[IKE] deleting duplicate IKE_SA for peer 'sun.strongswan.org' due to
>> uniqueness policy
>> 03[IKE] deleting IKE_SA net-net[1] between
>> 192.168.0.1[moon.strongswan.org]...192.168.0.2[sun.strongswan.org]
>>
> So it's better to keep 0 on one side and 2 on the other and execute when
> restart ipsec or reboot "ipsec up" for each peer_configs on the gateway
> where start_action=0.
No, what I wanted say is that you can set start_action=2 on both sides
because duplicate tunnels now get deleted with strongSwan 4.5.1.
Regards
Andreas
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
More information about the Users
mailing list