[strongSwan] Problem with 'auto=start' on unused SA
Martin Willi
martin at strongswan.org
Wed Jul 30 18:07:19 CEST 2014
Hi,
> rekeymargin=1s
At least for productive setups, you definitely should avoid such short
margins. Not unlikely that rekeying does not complete within that
second. The kernel then triggers a delete before the SA has been
rekeyed.
> If I send some trafic in order to trigger the SP, I get a SADB_ACQUIRE
> message from the kernel but strongswan complains there is no trap set.
>
> This sounds like a bug, I mean 'start' would imply 'route'. But maybe I
> missed something?
No, "start" does not imply "route". It just negotiates the tunnel, but
removes any IPsec policy if it is closed. Only with "route" you'll get
persistent trap policies.
Unfortunately, there is no "start+route", hence you'll have to stick
with "route". That does not trigger the tunnel immediately if there is
no traffic, but this is usually not a problem. If you instantly need
that tunnel, you'll have to trigger it manually, for example with "ipsec
up" or by generating matching traffic.
Regards
Martin
More information about the Users
mailing list