[strongSwan] Lots of reconnections for a rekey/reauth, and packet drops
Hoggins!
hoggins at radiom.fr
Fri Dec 1 10:50:47 CET 2017
Hello Tobias,
Le 30/11/2017 à 18:16, Tobias Brunner a écrit :
> Hi,
>
> Combining reauthentication with closeaction=restart is a bad idea. Note
> that reauth=no does not disable reauthentication if the other peer has
> reauth=yes configured, see [1].
Yes, I removed the reauth=no option. It had been kept here because it
was a "good" option to avoid packet losses when reauthenticating, but
then we discovered the "make_before_break" that had seemed to solve our
problems.
And reading the "closeaction" documentation shows that adding it to our
configuration was not our smartest move : I guess that our client tried
to restart the connection when it received a legit CLOSE action, as it's
the normal behavior when renewing, but then there was two parallel
attempts, which is not a good thing and might have caused our problem.
I just applied these new settings and restarted StrongSwan, I'll keep
you posted.
Thanks !
>
> Regards,
> Tobias
>
> [1]
> https://wiki.strongswan.org/projects/strongswan/wiki/ExpiryRekey#IKEv2-Responder-Behavior
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 191 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20171201/4a739d50/attachment.sig>
More information about the Users
mailing list