[strongSwan] vici/python interface errors
Tobias Brunner
tobias at strongswan.org
Tue Dec 3 12:39:21 CET 2019
Hi Volodymyr,
> thanks a lot, it works. It worth to say, that timeout must be set to
> reasonable value to allow Strongswan to finish the task. If set to -1 or
> few milliseconds, it returns failure as well :)
If you are referring to the returned error "terminating SA failed",
that's because with -1 (or a short timeout) the code doesn't wait until
the termination is fully completed (a regular termination causes DELETEs
to be sent and until the peer either replies, or there is a timeout
after several retransmits, it is not complete). So you get that error
because VICI doesn't know if the SA was actually terminated. The
termination is still initiated unless you receive the error "no matching
SAs to terminate found", it just happens in the background.
If you don't want to wait and send retransmits for DELETEs, use the
"force" option, optionally combined with a timeout, so the code waits
for a reply to the DELETEs for a while and then destroys the SA even if
none was received.
Regards,
Tobias
More information about the Users
mailing list