[strongSwan] Charon stops processing after receiving “no proposal chosen" notification
Martin Willi
martin at strongswan.org
Wed Apr 24 13:08:09 CEST 2013
Hi Joern,
> charon stops processing and will never try to setup the tunnel even if
> there is traffic of it
Yes, charon considers this as a permanent error and cancels the
connection attempt. There is currently no option to change that.
> pluto tries to reestablish the tunnel as long there is traffic to be
> forwarded
If no plain traffic should pass, I recommend to use a trap policy by
setting auto=route on your connection. The kernel will then periodically
trigger the establishment of the tunnel when it sees traffic, and charon
should retry to establish the tunnel.
The number of acquires sent by the kernel is limited by the timeout
defined in /proc/sys/net/core/xfrm_acq_expires, which we set to 165s in
[1]. This is the default retransmission timeout in charon to avoid
multiple acquires while the connection is establishing. If that is not
fast enough, you may try to lower that value.
Regards
Martin
[1]http://git.strongswan.org/?p=strongswan.git;a=blob;f=src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c;h=9b4ade53;hb=HEAD#l2653
More information about the Users
mailing list