[strongSwan] 回复: some problems with strongswan4.6.4

梅香 747201427 at qq.com
Tue Feb 19 03:09:47 CET 2013


hi :
First of all , thank you very much for your reply . and I still have a question .
>I want to make sure whether the half open IKE_SA exceeding limit will
> lead to xfrm policy appear such “action block” information?
> No, it is unrelated to this message
you said it is unrelated to this message , but I still confused what cause such “action block” information ? can you give me some examples.
Best Regards
Anne
------------------ 原始邮件 ------------------
发件人: "747201427"<747201427 at qq.com>
发送时间: 2013年1月30日(星期三) 上午10:05
收件人: "users"<users at lists.strongswan.org>;
抄送: "users"<users at lists.strongswan.org>;
主题: 回复: [strongSwan] some problems with strongswan4.6.4


hi :
First of all , thank you very much for your reply . and I still have a question .





>I want to make sure whether the half open IKE_SA exceeding limit will
> lead to xfrm policy appear such “action block” information?
> No, it is unrelated to this message
you said it is unrelated to this message , but I still confused what cause such “action block” information ? can you give me some examples.
Best Regards
Anne


------------------ 原始邮件 ------------------
发件人: "Martin Willi"<martin at strongswan.org>
发送时间: 2013年1月24日(星期四) 下午5:38
收件人: "梅香"<747201427 at qq.com>;
抄送: "users"<users at lists.strongswan.org>;
主题: Re: [strongSwan] some problems with strongswan4.6.4


Hi,

> there is abnormal printing in the message ,just like: ignoring IKE_SA
> setup from 10.0.30.74, half open IKE_SA count of 2503 exceeds limit of
> 1000

There is nothing abnormal in this log message. Seems you have configured
"init_limit_half_open = 1000". But as more than 2000 IKE_SAs are in
half-open state, the daemon is considered overloaded and rejects new
connection attempts.

> I want to make sure whether the half open IKE_SA exceeding limit will
> lead to xfrm policy appear such “action block” information?

No, it is unrelated to this message.

> I established 10000 ipsec tunnels use a instrument,then
> I stoped the instrument and many delete messge was found, at last I
> restarted ipsec and then found that the xfrm modules still has many SA
> and SP . I wonder whether this is normal?

During shutdown, charon sends a delete for any active IKE_SA. If you
have many IKE_SAs active, not all delete messages might make it to your
peer, leaving some of them established. If the daemon shuts down
properly, it should clean up all locally installed SAD/SPD entries,
though.

Regards
Martin

.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130219/eef79077/attachment.html>


More information about the Users mailing list