[strongSwan] Configuration Payload for IP Address Assignment Error Cases

Martin Willi martin at strongswan.org
Wed Jun 27 09:53:42 CEST 2012

> does strongSwan keep trying to start the connection?  Or is some manual
> intervention required?  We have auto=start, dpdaction=restart,
> keyingtries=%forever, rekey=yes, if that matters...

No, this is considered as a permanent error, and no retries are done.

> I assume before your patch, the up/down script would be called with


> and I wonder what else would happen? Would there be an IPSEC SA
> created?

If your responder returns all the required payloads (SA, TSi, TSr), and
the traffic selectors match to, yes.

> Sorry, I don't follow what you mean by "the physical IP (or something
> that contains it)".  I don't understand what IP could be used or
> assumed, if the SeGW can not fulfill the client's request for an IP
> address assignment.

The client uses the tunnel outer address, the address the client uses to
communicate in IKE. As in a Host2Host or Host2Net tunnel.


More information about the Users mailing list